<html>
<head><meta charset="utf-8"><title>RustSec · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html">RustSec</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136079650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/136079650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#136079650">(Oct 18 2018 at 23:51)</a>:</h4>
<p>Thought I'd make a topic about RustSec and merging it into this WG. There's also a GitHub issue <a href="https://github.com/rust-secure-code/wg/issues/4" target="_blank" title="https://github.com/rust-secure-code/wg/issues/4">https://github.com/rust-secure-code/wg/issues/4</a></p>



<a name="148742573"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/148742573" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#148742573">(Nov 28 2018 at 20:54)</a>:</h4>
<p>Opened an issue to talk about collecting structured info about vulnerable functions in advisories: <a href="https://github.com/RustSec/advisory-db/issues/68" target="_blank" title="https://github.com/RustSec/advisory-db/issues/68">https://github.com/RustSec/advisory-db/issues/68</a></p>



<a name="148742591"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/148742591" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#148742591">(Nov 28 2018 at 20:54)</a>:</h4>
<p>for use with a tool like RustPräzi  <a href="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912" target="_blank" title="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912">https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912</a></p>



<a name="151201055"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151201055" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151201055">(Dec 09 2018 at 00:39)</a>:</h4>
<p>I've just searched for "sigsegv language:rust" on Github issues, found a few projects that fixed serious issues (mostly use-after-free) without filing a RustSec or CVE and directed them to do so. Hopefully we'll see a slight influx in RustSec reports. I'll also post the most prominent ones to Reddit to get RustSec more visibility.</p>



<a name="151201057"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151201057" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151201057">(Dec 09 2018 at 00:39)</a>:</h4>
<p>That tool for checking for transitive dependencies on vulnerable crate versions would come in handy right about now to get some hard data on how bad things are in absence of out-of-the-box notifications about vulnerabilities. Is the tool or at least the results public yet?</p>



<a name="151203101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151203101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151203101">(Dec 09 2018 at 01:55)</a>:</h4>
<p>yes: <a href="https://crates.rustsec.org" target="_blank" title="https://crates.rustsec.org">https://crates.rustsec.org</a></p>



<a name="151203158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151203158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151203158">(Dec 09 2018 at 01:57)</a>:</h4>
<p>Is sorting this by downloads on the roadmap?</p>



<a name="151203577"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151203577" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151203577">(Dec 09 2018 at 02:13)</a>:</h4>
<p>not sure, maybe ask <span class="user-mention" data-user-id="132723">@Zach Reizner</span></p>



<a name="151203938"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151203938" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151203938">(Dec 09 2018 at 02:26)</a>:</h4>
<p>IMO it's not realistic to expect people to do that paperwork so either somebody should do it for them or, more realistically, we shouldn't rely on it being done.</p>



<a name="151219195"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151219195" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151219195">(Dec 09 2018 at 11:41)</a>:</h4>
<p>Well, the only thing I can think of would be some kind of bot that scrapes github and gitlab and pre-filters bugs that could be security vulnerabilities. Keywords should do it, although we could throw some kind of fancy machine learning thing later once we have a reasonably sized dataset</p>



<a name="151227816"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151227816" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151227816">(Dec 09 2018 at 16:44)</a>:</h4>
<p>I think we need to figure out at what stage people are dropping out of the funnel. Are they not making time to file it? Are they trying to but it's too hard? Are they not aware it'd be valuable?</p>



<a name="151229008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151229008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151229008">(Dec 09 2018 at 17:23)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> I don't think it's valuable since nobody is willing to pay people to do it.</p>



<a name="151229013"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151229013" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151229013">(Dec 09 2018 at 17:23)</a>:</h4>
<p>And since it's not valuable, why do it?</p>



<a name="151229053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151229053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151229053">(Dec 09 2018 at 17:24)</a>:</h4>
<p>As it were, after nearly two months of nothing there have been two filed in the past two days, possibly thanks to <span class="user-mention" data-user-id="127617">@Shnatsel</span></p>



<a name="151229063"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151229063" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151229063">(Dec 09 2018 at 17:25)</a>:</h4>
<p>also someone talking about a high severity one in the <code>yaml</code> crate which they are trying to disclose privately</p>



<a name="151233066"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151233066" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151233066">(Dec 09 2018 at 19:23)</a>:</h4>
<p>My guess is people are simply not aware that RustSec exists, and CVE feels out of reach (and for the most part actually was until <a href="http://iwantacve.org" target="_blank" title="http://iwantacve.org">iwantacve.org</a>)</p>



<a name="151233634"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151233634" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151233634">(Dec 09 2018 at 19:40)</a>:</h4>
<p>Oh, I've seen someone reporting a bug in <code>serde-yaml</code> after fuzzing it. It got turned down as invalid though.<br>
I feel people should use <code>yaml-rust</code> instead of <code>yaml</code>, as <code>yaml-rust</code> is 100% safe rust and more feature-complete at the same time.</p>



<a name="151293264"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293264" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293264">(Dec 10 2018 at 18:24)</a>:</h4>
<p>yeah, re: awareness, obviously upstreaming it into <code>cargo</code> as a first-class feature would help there</p>



<a name="151293312"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293312" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293312">(Dec 10 2018 at 18:25)</a>:</h4>
<p>we're having a call about RustSec later this week if anyone is interested</p>



<a name="151293331"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293331" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293331">(Dec 10 2018 at 18:25)</a>:</h4>
<p>Wednesday, December 12. 12:30 PM PST.</p>



<a name="151293431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293431">(Dec 10 2018 at 18:26)</a>:</h4>
<p>How does one enter this call?</p>



<a name="151293470"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293470" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293470">(Dec 10 2018 at 18:27)</a>:</h4>
<blockquote>
<p>Is sorting this by downloads on the roadmap?</p>
</blockquote>
<p>Yep. I just haven't made time to do it.  Anybody else can of course work on it as well.</p>



<a name="151293506"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293506" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293506">(Dec 10 2018 at 18:27)</a>:</h4>
<p>hmm, I'm looking at the invite and I'm not sure we actually picked a method, heh</p>



<a name="151293590"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293590" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293590">(Dec 10 2018 at 18:28)</a>:</h4>
<p>oh wait, now they're talking about moving it to earlier in the day <span class="emoji emoji-1f609" title="wink">:wink:</span></p>



<a name="151293598"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293598" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293598">(Dec 10 2018 at 18:28)</a>:</h4>
<p>ok 1s let me get the details</p>



<a name="151293694"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293694" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293694">(Dec 10 2018 at 18:29)</a>:</h4>
<p>What mailing list is the scheduling of the meeting happening on?</p>



<a name="151293823"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293823" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293823">(Dec 10 2018 at 18:30)</a>:</h4>
<p>this is the initial meeting we're having with the people that Ashley told us about months ago who were also interested in working on something like RustSec</p>



<a name="151293844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293844">(Dec 10 2018 at 18:31)</a>:</h4>
<p>it's been very hard to get in touch with them for whatever reason</p>



<a name="151293856"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151293856" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151293856">(Dec 10 2018 at 18:31)</a>:</h4>
<p>Ashley intro'd us via a private email</p>



<a name="151395673"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151395673" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151395673">(Dec 10 2018 at 19:56)</a>:</h4>
<p>If you could put the meeting into an online calendar that automatically converts timezones, that'd be great</p>



<a name="151396336"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151396336" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151396336">(Dec 10 2018 at 20:01)</a>:</h4>
<p>I will when we coordinate a time, heh</p>



<a name="151400709"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151400709" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151400709">(Dec 10 2018 at 20:56)</a>:</h4>
<p>(at this point, it's more like they coordinate a time... so far we haven't rejected any times they proposed)</p>



<a name="151413040"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413040" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413040">(Dec 11 2018 at 00:38)</a>:</h4>
<p>In other news, OpenSSL keeps being depressing. <a href="https://github.com/sfackler/rust-openssl/pull/942" target="_blank" title="https://github.com/sfackler/rust-openssl/pull/942">https://github.com/sfackler/rust-openssl/pull/942</a> is a use-after-free in Rust bindings that did not get reported to RustSec. And now <a href="https://github.com/diesel-rs/diesel/issues/813" target="_blank" title="https://github.com/diesel-rs/diesel/issues/813">https://github.com/diesel-rs/diesel/issues/813</a> seems to trace back to OpenSSL bindings as well, and it's on a version that already has a fix for the former bug</p>



<a name="151413300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413300">(Dec 11 2018 at 00:43)</a>:</h4>
<p>Just spoke with sfacker, I'm going to submit a rustsec for that.</p>



<a name="151413575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413575">(Dec 11 2018 at 00:49)</a>:</h4>
<p>Looks like rust-openssl needs automatic safety verification just as badly as libstd. I'm trying to pitch the "autogenerate fuzzing harnesses based on Rust types with <code>syn</code> and <code>Arbitrary</code>" as a 20% project so I can finally get around to actually doing that, wish me luck.</p>



<a name="151413584"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413584" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413584">(Dec 11 2018 at 00:49)</a>:</h4>
<p>This seems like it'd have been caught with a test + ASAN?</p>



<a name="151413646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413646">(Dec 11 2018 at 00:50)</a>:</h4>
<p>Not sure about a test + ASAN, pretty sure about fuzzer + ASAN</p>



<a name="151413662"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413662" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413662">(Dec 11 2018 at 00:51)</a>:</h4>
<p>This UAF does not appear to be data-dependent, am I reading this wrong?</p>



<a name="151413719"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413719" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413719">(Dec 11 2018 at 00:52)</a>:</h4>
<p>I actually haven't dug into it, so can't really comment, sorry.</p>



<a name="151413741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151413741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151413741">(Dec 11 2018 at 00:53)</a>:</h4>
<p>I've looked through, like, a hundred github issues that day.</p>



<a name="151414120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151414120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151414120">(Dec 11 2018 at 01:01)</a>:</h4>
<p><a href="https://github.com/RustSec/advisory-db/pull/77" target="_blank" title="https://github.com/RustSec/advisory-db/pull/77">https://github.com/RustSec/advisory-db/pull/77</a></p>



<a name="151457695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151457695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151457695">(Dec 11 2018 at 16:24)</a>:</h4>
<p>ok, guess we're back to the original proposed time (12:30PM PST) for the call tomorrow <a href="https://calendar.google.com/event?action=TEMPLATE&amp;tmeid=NTE3NjdqZGpkYTM3cHI2NGIxMzBmOW9mZHIgYmFzY3VsZUBt&amp;tmsrc=bascule%40gmail.com" target="_blank" title="https://calendar.google.com/event?action=TEMPLATE&amp;tmeid=NTE3NjdqZGpkYTM3cHI2NGIxMzBmOW9mZHIgYmFzY3VsZUBt&amp;tmsrc=bascule%40gmail.com">https://calendar.google.com/event?action=TEMPLATE&amp;tmeid=NTE3NjdqZGpkYTM3cHI2NGIxMzBmOW9mZHIgYmFzY3VsZUBt&amp;tmsrc=bascule%40gmail.com</a></p>



<a name="151474223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151474223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151474223">(Dec 11 2018 at 19:29)</a>:</h4>
<p>That link doesn't work. Is 12:30 PM just past noon or just past midnight?</p>



<a name="151474315"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151474315" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151474315">(Dec 11 2018 at 19:30)</a>:</h4>
<p>Doesn't work for my either.</p>



<a name="151482668"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151482668" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151482668">(Dec 11 2018 at 21:40)</a>:</h4>
<p>Shnastel: just past noon PST, or 20:30 GMT (December 12th)</p>



<a name="151482702"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151482702" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151482702">(Dec 11 2018 at 21:41)</a>:</h4>
<p>How long does the call last?</p>



<a name="151482812"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151482812" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151482812">(Dec 11 2018 at 21:43)</a>:</h4>
<p>I'm not sure, somewhere between a half hour to an hour I'd guess?</p>



<a name="151482819"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151482819" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151482819">(Dec 11 2018 at 21:44)</a>:</h4>
<p>(note I'm not really organizing this call, just relaying the information)</p>



<a name="151552402"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151552402" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151552402">(Dec 12 2018 at 18:25)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> you've never shared a link to the call. Is it over hangouts, zoom, something else?</p>



<a name="151556480"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151556480" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151556480">(Dec 12 2018 at 19:24)</a>:</h4>
<p>it's some service I haven't used before, but at least it doesn't appear to need any native app or extension, I think? Description:<a href="https://mozilla.stpeter.im/stpeter" target="_blank" title="https://mozilla.stpeter.im/stpeter">https://mozilla.stpeter.im/stpeter</a></p>



<a name="151556605"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151556605" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151556605">(Dec 12 2018 at 19:26)</a>:</h4>
<p>That link gives me "server not found"</p>



<a name="151556627"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151556627" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151556627">(Dec 12 2018 at 19:26)</a>:</h4>
<p>ditto</p>



<a name="151556633"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151556633" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151556633">(Dec 12 2018 at 19:27)</a>:</h4>
<p>(again, not organizing this)</p>



<a name="151561081"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151561081" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151561081">(Dec 12 2018 at 20:27)</a>:</h4>
<p>haven't heard back yet re: the link being dead</p>



<a name="151561313"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151561313" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151561313">(Dec 12 2018 at 20:30)</a>:</h4>
<p>prospective hangout: <a href="https://meet.google.com/czp-rwnf-xvy" target="_blank" title="https://meet.google.com/czp-rwnf-xvy">https://meet.google.com/czp-rwnf-xvy</a></p>



<a name="151725983"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151725983" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151725983">(Dec 13 2018 at 19:28)</a>:</h4>
<p>is there going to be a writeup about yesterday's call?</p>



<a name="151728343"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151728343" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151728343">(Dec 13 2018 at 19:58)</a>:</h4>
<p>I don't think anyone took notes, unfortunately. That probably would've been a good idea.</p>



<a name="151728383"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151728383" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151728383">(Dec 13 2018 at 19:59)</a>:</h4>
<p>it was mostly introducing a new person to the project, and the main action item is to create a "Pre-RFC" thread on rust-internals to discuss a first-class security advisory feature in cargo</p>



<a name="151728388"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151728388" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151728388">(Dec 13 2018 at 19:59)</a>:</h4>
<p>which I can take... fairly soon</p>



<a name="151728481"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151728481" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151728481">(Dec 13 2018 at 20:00)</a>:</h4>
<p>maybe I should just go do that</p>



<a name="151729409"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151729409" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151729409">(Dec 13 2018 at 20:15)</a>:</h4>
<p>Yeah, it was basically getting a new person up to speed, and then everybody agreeing that moving forward with a pre-RFC is a good idea.</p>



<a name="151729413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151729413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151729413">(Dec 13 2018 at 20:15)</a>:</h4>
<p>I don't think anything else important was discussed.</p>



<a name="151731467"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151731467" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151731467">(Dec 13 2018 at 20:47)</a>:</h4>
<p>I made a thread: <a href="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017">https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017</a></p>



<a name="151808854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151808854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151808854">(Dec 14 2018 at 22:12)</a>:</h4>
<p>I think I've just incited a lot of heated discussion in your thread: <a href="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7">https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7</a></p>



<a name="151809184"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151809184" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151809184">(Dec 14 2018 at 22:19)</a>:</h4>
<p>haha, hopefully! those are good issues</p>



<a name="151810942"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151810942" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151810942">(Dec 14 2018 at 22:59)</a>:</h4>
<blockquote>
<p>I think I've just incited a lot of heated discussion in your thread: <a href="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7">https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7</a></p>
</blockquote>
<p>how does npm handle those?</p>



<a name="151811047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151811047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151811047">(Dec 14 2018 at 23:01)</a>:</h4>
<p>Warns you when you run <code>npm update</code> and depend on vulnerable versions for which no semver-compatible upgrade is available or you froze the version. NPM actually does that pretty poorly, it had to roll out at least something because of competition from <code>yarn</code></p>



<a name="151812127"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151812127" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151812127">(Dec 14 2018 at 23:21)</a>:</h4>
<p>but maybe it's a start and there's no really competition risk for cargo. </p>
<p>I think it's better to have a suboptimal solution while working on a good one than not have a solution at all until a good one is ready</p>



<a name="151812379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151812379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151812379">(Dec 14 2018 at 23:26)</a>:</h4>
<p><span class="emoji emoji-1f609" title="wink">:wink:</span> <a href="https://twitter.com/bascule/status/1067943488333828096" target="_blank" title="https://twitter.com/bascule/status/1067943488333828096">https://twitter.com/bascule/status/1067943488333828096</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/bascule/status/1067943488333828096" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/450061818606522368/pjDTHFB9_normal.jpeg"></a><p>“Done is better than perfect” paints a false dichotomy. Somewhere in the middle lies “done well”</p><span>- Tony Arcieri (@bascule)</span></div></div>



<a name="151812477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151812477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151812477">(Dec 14 2018 at 23:29)</a>:</h4>
<p>I would argue that npm model is "done decent"</p>



<a name="151812707"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151812707" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151812707">(Dec 14 2018 at 23:34)</a>:</h4>
<p><code>npm update</code> is a destructive command that is likely to leave your npm modules directory in a broken state due to unresolvable dependencies, so no, I cannot say that's a reasonable way to notify developers about security updates in their dependencies. Even though it's better than nothing.</p>



<a name="151812775"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151812775" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151812775">(Dec 14 2018 at 23:36)</a>:</h4>
<p>More practically, I'm not against warnings on update in cargo for issues not resolved by the update. Quite the opposite, I'm all for them. But they alone are probably not sufficient.</p>



<a name="151813635"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/151813635" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#151813635">(Dec 14 2018 at 23:58)</a>:</h4>
<p>I was mostly talking about the warnings being positive not the distructive consequences. I would find warnings extremely better than nothing, sufficient for a 1.0</p>



<a name="154889263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/154889263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#154889263">(Jan 11 2019 at 02:40)</a>:</h4>
<p>RustSec -&gt; <code>cargo crev</code> integration:</p>
<p><a href="https://github.com/RustSec/advisory-db/issues/85" target="_blank" title="https://github.com/RustSec/advisory-db/issues/85">https://github.com/RustSec/advisory-db/issues/85</a><br>
<a href="https://github.com/dpc/crev/issues/149" target="_blank" title="https://github.com/dpc/crev/issues/149">https://github.com/dpc/crev/issues/149</a></p>



<a name="156330782"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156330782" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156330782">(Jan 17 2019 at 23:59)</a>:</h4>
<p>so I was just on a call GitHub organized with a focus group of people interested in vulnerability tracking</p>



<a name="156330875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156330875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156330875">(Jan 18 2019 at 00:00)</a>:</h4>
<p>it was pretty exciting. they're trying to build some first-class vulnerability tracking features, integrated into issues</p>



<a name="156331192"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156331192" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156331192">(Jan 18 2019 at 00:05)</a>:</h4>
<p>Will it require format changes for RustSec? Do we want to wait with integrating rustsec into Rust primary tooling until then?</p>



<a name="156331667"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156331667" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156331667">(Jan 18 2019 at 00:12)</a>:</h4>
<p>I don't think it's a replacement for RustSec no, and I wouldn't wait on it.</p>



<a name="156332119"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156332119" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156332119">(Jan 18 2019 at 00:19)</a>:</h4>
<p>I was thinking more along the lines of it feeding information into RustSec and/or being interoperable both ways</p>



<a name="156333526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333526">(Jan 18 2019 at 00:25)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I have some ideas about how to dramatically simplify the official integration</p>



<a name="156333531"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333531" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333531">(Jan 18 2019 at 00:25)</a>:</h4>
<p>which would be orthogonal to changing how the advisory database is stored</p>



<a name="156333594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333594">(Jan 18 2019 at 00:26)</a>:</h4>
<p>namely: add yanking metadata, which is generally useful, and store the RUSTEC ID with the yank event when it happens</p>



<a name="156333604"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333604" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333604">(Jan 18 2019 at 00:26)</a>:</h4>
<p>and give <code>cargo</code> just enough knowledge of RustSec to be able to print a warning message</p>



<a name="156333652"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333652" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333652">(Jan 18 2019 at 00:27)</a>:</h4>
<p>e.g. if you had TOML yank metadata with like</p>
<div class="codehilite"><pre><span></span>reason=security

[rustsec]
id = RUSTSEC-YYYY-DDDD
</pre></div>


<p>... or thereabouts, <code>cargo</code> could know enough to say that's a security vulnerability and print the ID</p>



<a name="156333699"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333699" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333699">(Jan 18 2019 at 00:28)</a>:</h4>
<p>but to get a full audit, you'd need to install <code>cargo-audit</code> (and barring anything else, cargo could just tell you to do that)</p>



<a name="156333720"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156333720" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156333720">(Jan 18 2019 at 00:29)</a>:</h4>
<p>that would be enough to surface warnings about security vulnerabilities, and at the same time it could also warn that you are using other yanked crates</p>



<a name="156334328"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334328" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334328">(Jan 18 2019 at 00:41)</a>:</h4>
<p>I'm not sure I'm sold on this idea</p>



<a name="156334401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334401">(Jan 18 2019 at 00:42)</a>:</h4>
<p>what don't you like about it?</p>



<a name="156334440"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334440" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334440">(Jan 18 2019 at 00:43)</a>:</h4>
<p>main pro to me is: it seems... tractable</p>



<a name="156334448"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334448" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334448">(Jan 18 2019 at 00:43)</a>:</h4>
<p>and keeps RustSec decoupled from cargo</p>



<a name="156334459"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334459" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334459">(Jan 18 2019 at 00:43)</a>:</h4>
<p>it also leans on existing mechanisms/features, and adds a new feature which people were already requesting anyway</p>



<a name="156334511"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156334511" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156334511">(Jan 18 2019 at 00:44)</a>:</h4>
<p>we could also stick a <code>summary</code>/<code>description</code> in there, since that stuff is also useful for other yank events</p>



<a name="156335143"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156335143" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156335143">(Jan 18 2019 at 00:57)</a>:</h4>
<p>I would expect it to be more... integrated. Like, even npm has the equivalent of full cargo-audit output <em>out of the box,</em> and npm is not a particularly high bar to begin with. I would expect at least that from my tooling.<br>
And I would want at least the "audit the project I'm currently working on" functionality built-in, so it would warn me on cargo build or some such. Get it in the development loop is what I'm saying.</p>



<a name="156335680"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156335680" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156335680">(Jan 18 2019 at 01:09)</a>:</h4>
<p>Actually, I also want cargo-audit to tell me whether a semver-compatible upgrade path is available or not</p>



<a name="156335693"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156335693" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156335693">(Jan 18 2019 at 01:09)</a>:</h4>
<p>I'm not sure if it does that now</p>



<a name="156336650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156336650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156336650">(Jan 18 2019 at 01:31)</a>:</h4>
<p>Why restrict it to semver-compatible? Maybe the fix is in an incompatible version.</p>



<a name="156347271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347271">(Jan 18 2019 at 06:17)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> that could eventually happen</p>



<a name="156347287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347287">(Jan 18 2019 at 06:17)</a>:</h4>
<p>but the <code>cargo yank</code> stuff (or something equivalent) is the minimum viable thing to get into <code>cargo</code></p>



<a name="156347409"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347409" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347409">(Jan 18 2019 at 06:20)</a>:</h4>
<p>associating metadata with yanks also happens to be a cargo issue that <span class="user-mention" data-user-id="116015">@Alex Crichton</span> opened a few years ago: <a href="https://github.com/rust-lang/cargo/issues/2608" target="_blank" title="https://github.com/rust-lang/cargo/issues/2608">https://github.com/rust-lang/cargo/issues/2608</a></p>



<a name="156347417"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347417" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347417">(Jan 18 2019 at 06:20)</a>:</h4>
<p>so I think it could actually stand a reasonably good chance of getting merged if implemented</p>



<a name="156347493"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347493" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347493">(Jan 18 2019 at 06:22)</a>:</h4>
<p>he even suggested it would be useful for the purpose of security advisories</p>



<a name="156347761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347761">(Jan 18 2019 at 06:31)</a>:</h4>
<blockquote>
<p>I don't think it's a replacement for RustSec no, and I wouldn't wait on it.</p>
</blockquote>
<p>It's hard to tell exactly what they have in mind, but it sounds like it might just be able to like... automate the manual pain points of RustSec, while keeping everything else the same, and also providing an API</p>



<a name="156347767"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347767" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347767">(Jan 18 2019 at 06:31)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> ^^^ bleh I can't Zulip</p>



<a name="156347816"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347816" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347816">(Jan 18 2019 at 06:32)</a>:</h4>
<p>like, it sounds like they just want to add security vulnerability-related features to the existing issues, and potentially be able to commit some serialized version of that to a git repo</p>



<a name="156347825"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156347825" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156347825">(Jan 18 2019 at 06:33)</a>:</h4>
<p>so uhh, I think we just keep doing what we're doing and maybe it will magically get more automated and awesome and get an API and potentially a "push button, get CVE"</p>



<a name="156350459"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156350459" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156350459">(Jan 18 2019 at 07:50)</a>:</h4>
<p>wrote this all up in a bit more detail: <a href="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14">https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14</a></p>



<a name="156871658"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156871658" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156871658">(Jan 25 2019 at 18:15)</a>:</h4>
<p>Here's something related to security updates and built timestamping: <a href="https://medium.com/@flundstrom2/manage-security-vulnerabilities-in-embedded-iot-devices-with-rust-14aeabada68b" target="_blank" title="https://medium.com/@flundstrom2/manage-security-vulnerabilities-in-embedded-iot-devices-with-rust-14aeabada68b">https://medium.com/@flundstrom2/manage-security-vulnerabilities-in-embedded-iot-devices-with-rust-14aeabada68b</a></p>



<a name="156872727"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156872727" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156872727">(Jan 25 2019 at 18:30)</a>:</h4>
<p>nice</p>



<a name="156873880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156873880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156873880">(Jan 25 2019 at 18:46)</a>:</h4>
<p>guess these are the papers:</p>
<p><a href="https://ieeexplore.ieee.org/document/8536124" target="_blank" title="https://ieeexplore.ieee.org/document/8536124">https://ieeexplore.ieee.org/document/8536124</a><br>
<a href="https://csce.ucmss.com/cr/books/2018/LFS/CSREA2018/SER3572.pdf" target="_blank" title="https://csce.ucmss.com/cr/books/2018/LFS/CSREA2018/SER3572.pdf">https://csce.ucmss.com/cr/books/2018/LFS/CSREA2018/SER3572.pdf</a></p>



<a name="156873969"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156873969" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156873969">(Jan 25 2019 at 18:47)</a>:</h4>
<p>IEEE one unfortunately paywalled <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="156884229"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156884229" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156884229">(Jan 25 2019 at 20:56)</a>:</h4>
<p>has anyone tried cargo crev?</p>



<a name="156884509"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156884509" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156884509">(Jan 25 2019 at 21:01)</a>:</h4>
<p>I just tried to install it via cargo, doesn't even compile</p>



<a name="156929745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156929745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156929745">(Jan 26 2019 at 15:39)</a>:</h4>
<p>I installed it but... wasn't able to figure out to actually make use of it other than submitting reviews. It does seem to have an active community though.</p>



<a name="156972411"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/156972411" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#156972411">(Jan 27 2019 at 13:31)</a>:</h4>
<p>Try filing a bug about what you couldn't figure out. It can be hard to figure out what docs you're missing when you're a developer</p>



<a name="159440921"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159440921" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159440921">(Feb 26 2019 at 17:23)</a>:</h4>
<p><a href="https://arxiv.org/pdf/1902.09217.pdf" target="_blank" title="https://arxiv.org/pdf/1902.09217.pdf">https://arxiv.org/pdf/1902.09217.pdf</a></p>



<a name="159799259"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159799259" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159799259">(Mar 02 2019 at 14:19)</a>:</h4>
<blockquote>
<p><a href="https://arxiv.org/pdf/1902.09217.pdf" target="_blank" title="https://arxiv.org/pdf/1902.09217.pdf">https://arxiv.org/pdf/1902.09217.pdf</a></p>
</blockquote>
<p><span aria-label="point up" class="emoji emoji-1f446" role="img" title="point up">:point_up:</span> this is a study of npm package hierarchy, their maintenance status, and how many accounts you need to compromise to get malicious code in the majority of packages. The situation is about as bad as you'd expect. Mitigation techniques and their potential effectiveness are also discussed. This could be valuable info for preventing the same on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a></p>



<a name="159799269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159799269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159799269">(Mar 02 2019 at 14:19)</a>:</h4>
<p>Also, here's another bug that should have got a RustSec entry, but didn't: <a href="https://github.com/nabijaczleweli/safe-transmute-rs/pull/36" target="_blank" title="https://github.com/nabijaczleweli/safe-transmute-rs/pull/36">https://github.com/nabijaczleweli/safe-transmute-rs/pull/36</a></p>



<a name="159800281"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159800281" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159800281">(Mar 02 2019 at 14:43)</a>:</h4>
<p>It's not too late to issue one!</p>



<a name="159801348"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159801348" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159801348">(Mar 02 2019 at 15:12)</a>:</h4>
<p>indeed. while we're yet to get our first 2019 RustSec advisory, in 2019 I've merged two retroactive ones for 2018</p>



<a name="159801359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159801359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159801359">(Mar 02 2019 at 15:13)</a>:</h4>
<p>err maybe it was just one, but still</p>



<a name="159803251"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159803251" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159803251">(Mar 02 2019 at 15:51)</a>:</h4>
<p>I've commented on the pull request</p>



<a name="159807805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159807805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159807805">(Mar 02 2019 at 17:52)</a>:</h4>
<p>Aaand the advisory is <del>merged</del> created: <a href="https://github.com/RustSec/advisory-db/pull/89" target="_blank" title="https://github.com/RustSec/advisory-db/pull/89">https://github.com/RustSec/advisory-db/pull/89</a></p>



<a name="159810861"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/159810861" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#159810861">(Mar 02 2019 at 19:17)</a>:</h4>
<blockquote>
<p>This could be valuable info for preventing the same on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a></p>
</blockquote>
<p>that's the reason why I shared it :)</p>



<a name="165539829"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165539829" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165539829">(May 13 2019 at 15:38)</a>:</h4>
<p><a href="https://twitter.com/RustSec/status/1127960863271374853" target="_blank" title="https://twitter.com/RustSec/status/1127960863271374853">https://twitter.com/RustSec/status/1127960863271374853</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/RustSec/status/1127960863271374853" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/825186818278584320/zVKr7DJa_normal.jpg"></a><p>Security advisory for the Rust standard library - 2019-05-13: Error::type_id unsafe memory access due to type confusion <a href="https://t.co/yTAIr5SecJ" target="_blank" title="https://t.co/yTAIr5SecJ">https://groups.google.com/d/msg/rustlang-security-announcements/aZabeCMUv70/-2Y6-SL6AQAJ</a></p><span>- RustSec (@RustSec)</span></div></div>



<a name="165539833"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165539833" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165539833">(May 13 2019 at 15:38)</a>:</h4>
<p>welp</p>



<a name="165539849"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165539849" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165539849">(May 13 2019 at 15:38)</a>:</h4>
<p>might be time to think about getting those into RustSec proper again</p>



<a name="165554260"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165554260" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165554260">(May 13 2019 at 18:19)</a>:</h4>
<p><a href="https://crates.parity.io/src/protobuf/core.rs.html#144" target="_blank" title="https://crates.parity.io/src/protobuf/core.rs.html#144">https://crates.parity.io/src/protobuf/core.rs.html#144</a> is this vulnerable?</p>



<a name="165554356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165554356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165554356">(May 13 2019 at 18:20)</a>:</h4>
<p>btw, there's another protobuf bug (OOM) that is fixed in master but not shipped in the latest version: <a href="https://github.com/stepancheg/rust-protobuf/commit/66a22c88d7efb762a7e2390f2bfdb275c199434c#diff-03da03412d4490720c45da0a6f43d56cR640" target="_blank" title="https://github.com/stepancheg/rust-protobuf/commit/66a22c88d7efb762a7e2390f2bfdb275c199434c#diff-03da03412d4490720c45da0a6f43d56cR640">https://github.com/stepancheg/rust-protobuf/commit/66a22c88d7efb762a7e2390f2bfdb275c199434c#diff-03da03412d4490720c45da0a6f43d56cR640</a></p>



<a name="165629319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165629319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165629319">(May 14 2019 at 14:56)</a>:</h4>
<p>I think the vuln was specifically related to <code>Error</code></p>



<a name="165629330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165629330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165629330">(May 14 2019 at 14:56)</a>:</h4>
<p>although ugh @ the <code>protobuf</code> crate stuff</p>



<a name="165629339"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165629339" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165629339">(May 14 2019 at 14:56)</a>:</h4>
<p>/me happily switched to Prost some time ago</p>



<a name="165667998"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/165667998" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#165667998">(May 14 2019 at 22:20)</a>:</h4>
<p>I think that definition of <code>type_id</code> is corret?</p>



<a name="167704880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/167704880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#167704880">(Jun 09 2019 at 15:43)</a>:</h4>
<p>fun times with format injection <a href="https://github.com/RustSec/advisory-db/issues/106" target="_blank" title="https://github.com/RustSec/advisory-db/issues/106">https://github.com/RustSec/advisory-db/issues/106</a></p>



<a name="168359226"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168359226" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168359226">(Jun 18 2019 at 00:20)</a>:</h4>
<p>thinking about filing a blanket RustSec advisory for this crate: <a href="https://crates.io/crates/aes-frast" target="_blank" title="https://crates.io/crates/aes-frast">https://crates.io/crates/aes-frast</a></p>



<a name="168359233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168359233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168359233">(Jun 18 2019 at 00:20)</a>:</h4>
<blockquote>
<p>NOT for Serious Usage</p>
</blockquote>



<a name="168359242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168359242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168359242">(Jun 18 2019 at 00:21)</a>:</h4>
<blockquote>
<p>The AES algorithm is implemented by looking-up-tables.</p>
</blockquote>



<a name="168359245"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168359245" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168359245">(Jun 18 2019 at 00:21)</a>:</h4>
<p>seems bad</p>



<a name="168359323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168359323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168359323">(Jun 18 2019 at 00:22)</a>:</h4>
<p>has a few downstream dependencies <a href="https://crates.io/crates/aes-frast/reverse_dependencies" target="_blank" title="https://crates.io/crates/aes-frast/reverse_dependencies">https://crates.io/crates/aes-frast/reverse_dependencies</a></p>



<a name="168377646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168377646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168377646">(Jun 18 2019 at 07:55)</a>:</h4>
<p>He does explicitly mention timing-attacks are out-of-scope for the lib, so I don't know if it is applicable for an advisory:</p>
<blockquote>
<p>However, this lib assumes that the computers which run the lib are secure and users of this lib have done something to avoid the timing problems. Usages like file encryption may be suitable.</p>
</blockquote>
<p>An advisory would make clear that the following is an actual security issue and not just something some "researches" have talked about:</p>
<blockquote>
<p>some researches have reported that there could be timing problems in looking-up-tables implement.</p>
</blockquote>
<p>I guess people who don't know what timing-attacks encompass, would benefit more from reading a security advisory than to make decisions based on the README's security section.</p>



<a name="168409440"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168409440" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168409440">(Jun 18 2019 at 15:02)</a>:</h4>
<p>yeah, I can see both sides to filing or not filing an advisory</p>



<a name="168409487"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168409487" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168409487">(Jun 18 2019 at 15:03)</a>:</h4>
<p>but I'm not sure the author declaring a table takes security property of a cryptography library as out of scope actually makes it out of scope</p>



<a name="168439029"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168439029" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168439029">(Jun 18 2019 at 17:58)</a>:</h4>
<p>True as well. TBH I'm leaning more to the filing of an advisory, purely based on the README's "could be timing problems in looking-up-tables implement". Just to make clear that the "could" should be "are".</p>



<a name="168439306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168439306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168439306">(Jun 18 2019 at 18:01)</a>:</h4>
<p>Again, if people don't do their due diligence they might just think "oh there 'could' be. If there were he'd say so"</p>



<a name="168446742"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168446742" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168446742">(Jun 18 2019 at 19:22)</a>:</h4>
<p>Note that any crate that makes use of it will also get caught up in the advisory in the crates auditor</p>



<a name="168450113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168450113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168450113">(Jun 18 2019 at 20:01)</a>:</h4>
<p>It presently has two downstream dependencies. They're what I'm actually concerned about, as they seem to be using it for "Serious Usage"</p>



<a name="168450129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168450129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168450129">(Jun 18 2019 at 20:01)</a>:</h4>
<p><a href="https://crates.io/crates/sardine" target="_blank" title="https://crates.io/crates/sardine">https://crates.io/crates/sardine</a></p>



<a name="168450198"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168450198" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168450198">(Jun 18 2019 at 20:02)</a>:</h4>
<p><a href="https://crates.io/crates/deploy-common" target="_blank" title="https://crates.io/crates/deploy-common">https://crates.io/crates/deploy-common</a></p>



<a name="168580836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168580836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168580836">(Jun 20 2019 at 09:40)</a>:</h4>
<p>I suppose cargo-crev would be the best place to put info like this</p>



<a name="168600910"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168600910" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168600910">(Jun 20 2019 at 14:33)</a>:</h4>
<p>Do you want to post about these on Reddit to give more visibility to the RustSec and pressure people into fixing their crates? That worked for me last time.</p>



<a name="168603939"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168603939" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168603939">(Jun 20 2019 at 15:06)</a>:</h4>
<p>that's a good idea</p>



<a name="168604518"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/168604518" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#168604518">(Jun 20 2019 at 15:12)</a>:</h4>
<p>Fun fact: once I saw those vulnerabilities I understood why Rust has this weird FormatArgs struct</p>



<a name="169240618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169240618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169240618">(Jun 28 2019 at 16:35)</a>:</h4>
<p>Hey look, RustSec's got another client: <a href="https://www.reddit.com/r/rust/comments/c6jryy/opensource_scanner_for_vulnerabilities_in_rust/" target="_blank" title="https://www.reddit.com/r/rust/comments/c6jryy/opensource_scanner_for_vulnerabilities_in_rust/">https://www.reddit.com/r/rust/comments/c6jryy/opensource_scanner_for_vulnerabilities_in_rust/</a></p>



<a name="169409803"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169409803" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169409803">(Jul 01 2019 at 16:31)</a>:</h4>
<p>err, what?</p>



<a name="169410868"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169410868" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169410868">(Jul 01 2019 at 16:48)</a>:</h4>
<p>lol it does actually use the RustSec vulnerability database? <a href="https://github.com/FiroSolutions/cifiro" target="_blank" title="https://github.com/FiroSolutions/cifiro">https://github.com/FiroSolutions/cifiro</a></p>



<a name="169517994"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169517994" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169517994">(Jul 02 2019 at 20:48)</a>:</h4>
<p>Yeah it does. Speaking of which, <a href="https://github.com/RustSec/advisory-db/pull/119" target="_blank" title="https://github.com/RustSec/advisory-db/pull/119">https://github.com/RustSec/advisory-db/pull/119</a> has been outstanding for a few days, any reason not to merge it?</p>



<a name="169518027"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169518027" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169518027">(Jul 02 2019 at 20:49)</a>:</h4>
<p>no sorry, trying to cut a release of something else here and didn't get around to reviewing it yet. let me take a look</p>



<a name="169518128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169518128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169518128">(Jul 02 2019 at 20:50)</a>:</h4>
<p>err, I guess you left the comments in <span aria-label="stuck out tongue wink" class="emoji emoji-1f61c" role="img" title="stuck out tongue wink">:stuck_out_tongue_wink:</span> remove them and it should be good</p>



<a name="169519601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169519601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169519601">(Jul 02 2019 at 21:12)</a>:</h4>
<p>looks good now. except Travis CI is a million years behind, I assume due to a giant spike in their queue from jobs that hit Cloudflare for stuff, which seems to be anything related to JavaScript</p>



<a name="169557749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169557749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169557749">(Jul 03 2019 at 11:23)</a>:</h4>
<p>Hey look, dependabot also uses rustsec database: <a href="https://github.com/coreos/afterburn/pull/239" target="_blank" title="https://github.com/coreos/afterburn/pull/239">https://github.com/coreos/afterburn/pull/239</a><br>
Not sure how useful that is in the current form, but it is precedent for bothering people on github about vulnerabilities in their dependencies.</p>



<a name="169568188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169568188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169568188">(Jul 03 2019 at 13:54)</a>:</h4>
<p>on the one hand, it was cool to see Dependabot update a codebase I released yesterday. Unfortunately, it added a ton of dependencies accidentally and nobody noticed <span aria-label="scream" class="emoji emoji-1f631" role="img" title="scream">:scream:</span></p>



<a name="169568210"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169568210" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169568210">(Jul 03 2019 at 13:55)</a>:</h4>
<p>I'm a bit torn on that whole thing</p>



<a name="169568721"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/169568721" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#169568721">(Jul 03 2019 at 14:00)</a>:</h4>
<p>Now that github owns dependabot and people can get it for free, I think it's even more valuable</p>



<a name="170495034"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/170495034" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#170495034">(Jul 09 2019 at 22:18)</a>:</h4>
<p>how does dependabot behave if there's no Cargo.lock checked-in?</p>



<a name="170495054"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/170495054" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#170495054">(Jul 09 2019 at 22:18)</a>:</h4>
<p>It'll update <code>Cargo.toml</code> pins I think</p>



<a name="170495080"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/170495080" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#170495080">(Jul 09 2019 at 22:19)</a>:</h4>
<p>ah yes I see in <a href="https://dependabot.com/rust/" target="_blank" title="https://dependabot.com/rust/">https://dependabot.com/rust/</a></p>



<a name="171441169"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171441169" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171441169">(Jul 22 2019 at 15:37)</a>:</h4>
<p>wonder if I should yank some of the older versions of <code>cargo-audit</code> that have false positives for <code>memoffset</code></p>



<a name="171441256"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171441256" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171441256">(Jul 22 2019 at 15:38)</a>:</h4>
<p>I just tried to respond to one I noticed and now GitHub is giving me 500s</p>



<a name="171454330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171454330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171454330">(Jul 22 2019 at 18:19)</a>:</h4>
<p>I think yanking is too extreme</p>



<a name="171454997"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171454997" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171454997">(Jul 22 2019 at 18:27)</a>:</h4>
<p>I guess I could file a pseudo-advisory against itself</p>



<a name="171455100"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455100" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455100">(Jul 22 2019 at 18:29)</a>:</h4>
<p>it's not a security issue, what are you talking about</p>



<a name="171455132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455132">(Jul 22 2019 at 18:29)</a>:</h4>
<p>people aren't upgrading</p>



<a name="171455139"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455139" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455139">(Jul 22 2019 at 18:29)</a>:</h4>
<p>and they keep opening issues</p>



<a name="171455144"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455144" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455144">(Jul 22 2019 at 18:29)</a>:</h4>
<p>because they aren't upgrading</p>



<a name="171455149"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455149" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455149">(Jul 22 2019 at 18:29)</a>:</h4>
<p>and the old versions have bugs</p>



<a name="171455159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455159">(Jul 22 2019 at 18:29)</a>:</h4>
<p>the bugs create false positives, and people are very confused why</p>



<a name="171455169"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171455169" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171455169">(Jul 22 2019 at 18:29)</a>:</h4>
<p>I am worried they might churn from using the tool if they can't figure out what the problem is</p>



<a name="171456238"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171456238" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171456238">(Jul 22 2019 at 18:41)</a>:</h4>
<p>yanking will not make people upgrade</p>



<a name="171456266"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171456266" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171456266">(Jul 22 2019 at 18:41)</a>:</h4>
<p>there is literally no way in Cargo to distribute updates, not even security updates</p>



<a name="171456368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171456368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171456368">(Jul 22 2019 at 18:42)</a>:</h4>
<p>It's this weird mix of "use the latest suitable version" when compiling and then sort of "use the oldest suitable version" when installing? At least Go is consistent in always using the oldest suitable version.</p>



<a name="171456497"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171456497" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171456497">(Jul 22 2019 at 18:43)</a>:</h4>
<p>yeah, a big part of the problem here is Docker too... people have some ancient Docker image with a buggy <code>cargo-audit</code></p>



<a name="171456507"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/171456507" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#171456507">(Jul 22 2019 at 18:43)</a>:</h4>
<p>I have no idea how yanking affects <code>cargo install</code></p>



<a name="174149202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174149202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174149202">(Aug 26 2019 at 15:02)</a>:</h4>
<p>/me sees old comment, responds to himself "yes you do, Tony" <span aria-label="stuck out tongue wink" class="emoji emoji-1f61c" role="img" title="stuck out tongue wink">:stuck_out_tongue_wink:</span></p>



<a name="174149206"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174149206" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174149206">(Aug 26 2019 at 15:02)</a>:</h4>
<p>but uhh</p>



<a name="174149222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174149222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174149222">(Aug 26 2019 at 15:02)</a>:</h4>
<p>on a completely different note, here's a fun one: <a href="https://github.com/RustSec/advisory-db/pull/131" target="_blank" title="https://github.com/RustSec/advisory-db/pull/131">https://github.com/RustSec/advisory-db/pull/131</a></p>



<a name="174149244"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174149244" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174149244">(Aug 26 2019 at 15:02)</a>:</h4>
<p>a RustSec advisory for vulnerable example code</p>



<a name="174165285"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174165285" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174165285">(Aug 26 2019 at 18:30)</a>:</h4>
<p>Hmm, I'm not sure it deserves an advisory.</p>



<a name="174196216"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174196216" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174196216">(Aug 27 2019 at 04:40)</a>:</h4>
<p>FYI, trying to fix prerelease handling: <a href="https://github.com/RustSec/rustsec-crate/pull/69" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/69">https://github.com/RustSec/rustsec-crate/pull/69</a></p>



<a name="174260542"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174260542" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174260542">(Aug 27 2019 at 19:11)</a>:</h4>
<p>Wow, what a rabbit hole</p>



<a name="174261909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174261909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> ctz <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174261909">(Aug 27 2019 at 19:22)</a>:</h4>
<blockquote>
<p>Hmm, I'm not sure it deserves an advisory.</p>
</blockquote>
<p>Well, I agree. I filed it because someone decided to allocate a CVE. Not totally sure who or why because I didn't get contacted separately</p>



<a name="174264192"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174264192" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174264192">(Aug 27 2019 at 19:47)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> haha, seriously. I think it should be good now</p>



<a name="174264207"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174264207" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174264207">(Aug 27 2019 at 19:47)</a>:</h4>
<p>this one's gonna be ugly: <a href="https://github.com/RustSec/advisory-db/pull/132" target="_blank" title="https://github.com/RustSec/advisory-db/pull/132">https://github.com/RustSec/advisory-db/pull/132</a></p>



<a name="174264296"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174264296" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174264296">(Aug 27 2019 at 19:48)</a>:</h4>
<p>Why?</p>



<a name="174264396"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174264396" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174264396">(Aug 27 2019 at 19:49)</a>:</h4>
<p>widespread usage as a dependency</p>



<a name="174264399"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174264399" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174264399">(Aug 27 2019 at 19:49)</a>:</h4>
<p>for e.g. <em>ring</em></p>



<a name="174318637"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174318637" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174318637">(Aug 27 2019 at 23:22)</a>:</h4>
<p>welp <a href="https://github.com/RustSec/cvss.rs" target="_blank" title="https://github.com/RustSec/cvss.rs">https://github.com/RustSec/cvss.rs</a></p>



<a name="174329634"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174329634" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174329634">(Aug 28 2019 at 03:41)</a>:</h4>
<p>Very annoying because it seems like it doesn't affect <em>ring</em> at all but nobody will understand that. Or, if it does then there would still be an active bug in code that the PR that fixed <code>spin::rw_lock</code> doesn't touch. See <a href="https://github.com/RustSec/advisory-db/pull/132#discussion_r318379927" target="_blank" title="https://github.com/RustSec/advisory-db/pull/132#discussion_r318379927">https://github.com/RustSec/advisory-db/pull/132#discussion_r318379927</a>.</p>



<a name="174329692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174329692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174329692">(Aug 28 2019 at 03:42)</a>:</h4>
<p>The bigger issue is that the author of spin-rs indicated he doesn't have time to work on it anymore. Now I'll be looking for a <code>#![no_std]</code> replacement for <code>spin::Once</code>. Any suggestions?</p>



<a name="174329759"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174329759" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174329759">(Aug 28 2019 at 03:44)</a>:</h4>
<p>Note that <code>spin-rs</code> was too eager to call <code>spin_loop_hint</code> anyway, so there are potentially perf reasons to use something else too.</p>



<a name="174330940"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174330940" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174330940">(Aug 28 2019 at 04:16)</a>:</h4>
<p><span class="user-mention" data-user-id="133214">@briansmith</span> oof</p>



<a name="174331026"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174331026" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174331026">(Aug 28 2019 at 04:18)</a>:</h4>
<p>reminds me of <a href="https://github.com/Stebalien/term/issues/93" target="_blank" title="https://github.com/Stebalien/term/issues/93">https://github.com/Stebalien/term/issues/93</a></p>



<a name="174331047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174331047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174331047">(Aug 28 2019 at 04:18)</a>:</h4>
<p>seems like there's some huge ecosystem risk in these ubiquitously used core infrastructure crates going unmaintained</p>



<a name="174331053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174331053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174331053">(Aug 28 2019 at 04:18)</a>:</h4>
<p>and potential for software supply chain attacks...</p>



<a name="174339788"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174339788" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174339788">(Aug 28 2019 at 07:36)</a>:</h4>
<blockquote>
<p>seems like there's some huge ecosystem risk in these ubiquitously used core infrastructure crates going unmaintained</p>
</blockquote>
<p>spin-rs was still rather young, wasn't it? I was quite surprised (and worried) by how quickly it seemed to appear as dependency of core crates like lazy_static</p>



<a name="174339798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174339798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174339798">(Aug 28 2019 at 07:36)</a>:</h4>
<p>(not that that even is a good idea, see <a href="https://github.com/rust-lang-nursery/lazy-static.rs/issues/150" target="_blank" title="https://github.com/rust-lang-nursery/lazy-static.rs/issues/150">https://github.com/rust-lang-nursery/lazy-static.rs/issues/150</a>)</p>



<a name="174339836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174339836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174339836">(Aug 28 2019 at 07:37)</a>:</h4>
<p>The race for <code>#[no_std]</code> has some quite negative effects on overall ecosystem reliability, it seems :/</p>



<a name="174340025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174340025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174340025">(Aug 28 2019 at 07:40)</a>:</h4>
<p>I wish, when it comes to things like synchronization, that at least libstd things would be used where possible and the less reviewed fallbacks are only used when necessary... but spin-rs <em>always</em> uses its own code, even when running on systems where much better alternatives exist (e.g. parking_lot)</p>



<a name="174340845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174340845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174340845">(Aug 28 2019 at 07:56)</a>:</h4>
<p>For the most part, that's what I'm doing, only using <code>spin</code> directly when necessary. However, IIRC, the design of <code>lazy_static</code> w.r.t. its <code>no_std</code> support is broken: If you enable its <code>no_std</code> support then it will use <code>spin</code> even when <code>std</code> is available, and there's no way to sometimes use <code>std</code> and other times use <code>spin</code> depending on the context (sometimes it matters).</p>



<a name="174340925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174340925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174340925">(Aug 28 2019 at 07:57)</a>:</h4>
<p>Using parking_lot is a non-starter for me--it's not <code>#[no_std]</code> and so not much advantage over libstd. <a href="https://github.com/rust-lang/rust/pull/56410" target="_blank" title="https://github.com/rust-lang/rust/pull/56410">https://github.com/rust-lang/rust/pull/56410</a> has been in progress for almost a year with no end in sight.</p>



<a name="174341031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174341031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174341031">(Aug 28 2019 at 07:59)</a>:</h4>
<p>I would suggest that something like <code>spin::Once</code> should be in libcore or similar (maybe something analogous to the <code>alloc</code> crate for synchronization primitives), and I would even submit a PR to do it and/or an RFC, if there was some assurance that it wouldn't drag on for more than 3 months. But it looks like a multi-year project despite being very simple and easy to write and implement.</p>



<a name="174354083"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174354083" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174354083">(Aug 28 2019 at 11:48)</a>:</h4>
<p>doing blocking isn't simple, IMO. if you have OS facilities available, you certainly don't want to spin while whoever has the lock is calling <code>open</code>...</p>



<a name="174354205"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174354205" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174354205">(Aug 28 2019 at 11:51)</a>:</h4>
<p>not sure what the best design for this is. maybe something like allocators: there's a global "blocking" primitive (similar to what parking_lot has), and then <code>Once</code> can live in core and rely on that blocking primitive, and libstd can provide the blocking primitive, and <code>no_std</code> environments can provide their own.</p>



<a name="174354231"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174354231" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174354231">(Aug 28 2019 at 11:51)</a>:</h4>
<p>IOW, you basically want <code>thread::park</code>/<code>unpark</code>. parking_lot's API is more complicated for performance reasons, but AFAIK the gist is the same.</p>



<a name="174354299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174354299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174354299">(Aug 28 2019 at 11:52)</a>:</h4>
<p>not doing anything and returning immediately is a correct implementation of <code>thread::park</code>/<code>unpark</code>, so there's a trivial thing to do for bare metal code</p>



<a name="174379750"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174379750" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174379750">(Aug 28 2019 at 16:34)</a>:</h4>
<p>/me wishes Rust had first class support for lazy statics as opposed to a macro...</p>



<a name="174379761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174379761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174379761">(Aug 28 2019 at 16:34)</a>:</h4>
<p>a macro really makes them feel half-finished</p>



<a name="174379806"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174379806" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174379806">(Aug 28 2019 at 16:35)</a>:</h4>
<p>see also <a href="https://internals.rust-lang.org/t/allow-non-const-statics/10676" target="_blank" title="https://internals.rust-lang.org/t/allow-non-const-statics/10676">https://internals.rust-lang.org/t/allow-non-const-statics/10676</a></p>



<a name="174379876"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174379876" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174379876">(Aug 28 2019 at 16:36)</a>:</h4>
<p>on a completely unrelated note...</p>



<a name="174379886"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174379886" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174379886">(Aug 28 2019 at 16:36)</a>:</h4>
<p>the docs for the <code>cvss</code> crate finally rendered <a href="https://docs.rs/cvss/0.2.0/cvss/v3/base/av/enum.AttackVector.html" target="_blank" title="https://docs.rs/cvss/0.2.0/cvss/v3/base/av/enum.AttackVector.html">https://docs.rs/cvss/0.2.0/cvss/v3/base/av/enum.AttackVector.html</a></p>



<a name="174380526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174380526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174380526">(Aug 28 2019 at 16:45)</a>:</h4>
<p>guess I'll merge and announce the <code>spin</code> vulnerability</p>



<a name="174380535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174380535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174380535">(Aug 28 2019 at 16:45)</a>:</h4>
<p>brace for impact</p>



<a name="174384743"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174384743" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174384743">(Aug 28 2019 at 17:36)</a>:</h4>
<p>pushing the button...</p>



<a name="174385300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174385300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174385300">(Aug 28 2019 at 17:43)</a>:</h4>
<p>it's up. will tweet <a href="https://rustsec.org/advisories/RUSTSEC-2019-0013.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2019-0013.html">https://rustsec.org/advisories/RUSTSEC-2019-0013.html</a></p>



<a name="174386319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174386319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174386319">(Aug 28 2019 at 17:54)</a>:</h4>
<p>hopefully this helps re: <code>spin</code> false positives <a href="https://twitter.com/RustSec/status/1166770956095746048" target="_blank" title="https://twitter.com/RustSec/status/1166770956095746048">https://twitter.com/RustSec/status/1166770956095746048</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/RustSec/status/1166770956095746048" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/825186818278584320/zVKr7DJa_normal.jpg"></a><p>Note that this particular advisory may have false positives (for e.g. `lazy_static`, `ring`), since it only impacts `spin::Once`, which is used by `lazy_static` ONLY if you're using `spin_no_std`.

If you're getting false positives, try `--ignore RUSTSEC-2019-0013` <a href="https://t.co/qPtB9PkHEo" target="_blank" title="https://t.co/qPtB9PkHEo">https://twitter.com/RustSec/status/1166770956095746048/photo/1</a></p><span>- RustSec (@RustSec)</span><div class="twitter-image"><a href="https://t.co/qPtB9PkHEo" target="_blank" title="https://t.co/qPtB9PkHEo"><img src="https://pbs.twimg.com/media/EDEz_-qVAAEwlvP.jpg:small"></a></div></div></div>



<a name="174388528"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388528" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388528">(Aug 28 2019 at 18:22)</a>:</h4>
<p>Someone in another chat I'm in brought up rustsec is blocked by their virus scan, sophos.  I'm opening a support ticket to get it re-evaluated</p>



<a name="174388687"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388687" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388687">(Aug 28 2019 at 18:25)</a>:</h4>
<p>huh, how'd they install it? and wouldn't that impact other Rust apps?</p>



<a name="174388785"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388785" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388785">(Aug 28 2019 at 18:27)</a>:</h4>
<p>It is some crappy endpoint software.  Looks like it lets the org set rules on categories of sites they can visit.  It's probably just a mistake on the endpoint software's categorization.   It doesn't sound like he has issues with other rust sites</p>



<a name="174388894"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388894" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388894">(Aug 28 2019 at 18:28)</a>:</h4>
<p>oh weird, it flagged <a href="https://rustsec.org" target="_blank" title="https://rustsec.org">https://rustsec.org</a> ?</p>



<a name="174388905"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388905" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388905">(Aug 28 2019 at 18:29)</a>:</h4>
<p>maybe a false positive triggered by all the scary wording about vulnerabilities <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="174388936"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388936" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388936">(Aug 28 2019 at 18:29)</a>:</h4>
<p>That's what I thought until he shared a screenshot saying it was because swimwear and other inappropriate apparel.</p>



<a name="174388995"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174388995" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174388995">(Aug 28 2019 at 18:30)</a>:</h4>
<p>Stupid sexy ferris</p>



<a name="174389048"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174389048" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174389048">(Aug 28 2019 at 18:30)</a>:</h4>
<p>Either way, ticket is in with the vendor but figured you might want to know in case other users have issues.</p>



<a name="174395280"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174395280" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174395280">(Aug 28 2019 at 19:46)</a>:</h4>
<p>FYI, just added (optional) CVSS v3 scores to RustSec advisories: <a href="https://github.com/RustSec/rustsec-crate/pull/72" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/72">https://github.com/RustSec/rustsec-crate/pull/72</a></p>



<a name="174395323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174395323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174395323">(Aug 28 2019 at 19:47)</a>:</h4>
<p>we need them to file CVEs anyway, and it provides a path to severity filtering: <a href="https://docs.rs/cvss/0.2.0/cvss/severity/enum.Severity.html" target="_blank" title="https://docs.rs/cvss/0.2.0/cvss/severity/enum.Severity.html">https://docs.rs/cvss/0.2.0/cvss/severity/enum.Severity.html</a></p>



<a name="174395372"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174395372" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174395372">(Aug 28 2019 at 19:47)</a>:</h4>
<p>also trying to do some (backwards compatible) sprucing up of the advisory format and <code>rustsec</code> crate in general: <a href="https://github.com/RustSec/rustsec-crate/pull/73" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/73">https://github.com/RustSec/rustsec-crate/pull/73</a></p>



<a name="174395384"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174395384" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174395384">(Aug 28 2019 at 19:47)</a>:</h4>
<p>splitting out <code>[affected]</code> and <code>[versions]</code> sections</p>



<a name="174419278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174419278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174419278">(Aug 29 2019 at 02:54)</a>:</h4>
<p>based on some Twitter discussion around the <code>term</code> crate being unmaintained, and a suggestion I got, I opened an issue with an idea...</p>



<a name="174424419"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174424419" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174424419">(Aug 29 2019 at 05:09)</a>:</h4>
<p>will make a separate stream for it</p>



<a name="174428667"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174428667" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174428667">(Aug 29 2019 at 06:53)</a>:</h4>
<blockquote>
<p>That's what I thought until he shared a screenshot saying it was because swimwear and other inappropriate apparel.</p>
</blockquote>
<p>swimwear is inappropriate? do they propose we bath naked? :P</p>



<a name="174458900"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174458900" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174458900">(Aug 29 2019 at 14:28)</a>:</h4>
<p>FYI, a PR to add categories to RustSec advisories, based on our criteria for which vulnerability categories are allowed <a href="https://github.com/RustSec/rustsec-crate/pull/74" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/74">https://github.com/RustSec/rustsec-crate/pull/74</a></p>



<a name="174629311"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174629311" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174629311">(Aug 31 2019 at 19:05)</a>:</h4>
<p>I'm prodding people fixing unsoundness to file RustSec advisories again. I'll post issues/PRs where I do that so that if nothing comes out of them after a week or so we can do that ourselves: </p>
<p><a href="https://github.com/image-rs/image/pull/985" target="_blank" title="https://github.com/image-rs/image/pull/985">https://github.com/image-rs/image/pull/985</a><br>
<a href="https://github.com/tomprogrammer/rust-ascii/issues/64" target="_blank" title="https://github.com/tomprogrammer/rust-ascii/issues/64">https://github.com/tomprogrammer/rust-ascii/issues/64</a><br>
<a href="https://github.com/Robbepop/string-interner/issues/9" target="_blank" title="https://github.com/Robbepop/string-interner/issues/9">https://github.com/Robbepop/string-interner/issues/9</a><br>
<a href="https://github.com/matklad/once_cell/pull/33" target="_blank" title="https://github.com/matklad/once_cell/pull/33">https://github.com/matklad/once_cell/pull/33</a><br>
<a href="https://github.com/danburkert/prost/pull/194" target="_blank" title="https://github.com/danburkert/prost/pull/194">https://github.com/danburkert/prost/pull/194</a><br>
<a href="https://github.com/llogiq/compact_arena/issues/22" target="_blank" title="https://github.com/llogiq/compact_arena/issues/22">https://github.com/llogiq/compact_arena/issues/22</a><br>
<a href="https://github.com/rust-lang-nursery/futures-rs/pull/1654" target="_blank" title="https://github.com/rust-lang-nursery/futures-rs/pull/1654">https://github.com/rust-lang-nursery/futures-rs/pull/1654</a><br>
<a href="https://github.com/sagebind/isahc/issues/2" target="_blank" title="https://github.com/sagebind/isahc/issues/2">https://github.com/sagebind/isahc/issues/2</a><br>
<a href="https://github.com/devashishdxt/desse/issues/12" target="_blank" title="https://github.com/devashishdxt/desse/issues/12">https://github.com/devashishdxt/desse/issues/12</a><br>
<a href="https://github.com/seanmonstar/spmc/issues/10" target="_blank" title="https://github.com/seanmonstar/spmc/issues/10">https://github.com/seanmonstar/spmc/issues/10</a><br>
<a href="https://github.com/ebkalderon/renderdoc-rs/issues/28" target="_blank" title="https://github.com/ebkalderon/renderdoc-rs/issues/28">https://github.com/ebkalderon/renderdoc-rs/issues/28</a><br>
<a href="https://github.com/japaric/cortex-m-rtfm/pull/140" target="_blank" title="https://github.com/japaric/cortex-m-rtfm/pull/140">https://github.com/japaric/cortex-m-rtfm/pull/140</a><br>
<a href="https://github.com/Xudong-Huang/generator-rs/issues/9" target="_blank" title="https://github.com/Xudong-Huang/generator-rs/issues/9">https://github.com/Xudong-Huang/generator-rs/issues/9</a><br>
<a href="https://github.com/little-dude/netlink/issues/16" target="_blank" title="https://github.com/little-dude/netlink/issues/16">https://github.com/little-dude/netlink/issues/16</a><br>
more to come</p>



<a name="174630961"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174630961" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174630961">(Aug 31 2019 at 20:00)</a>:</h4>
<p>Wow, that's a LONG list and I'm still not done</p>



<a name="174631369"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174631369" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174631369">(Aug 31 2019 at 20:10)</a>:</h4>
<p>Okay I'm done. I've looked for the first 15 pages of "unsound" in Rust code on Github in issues and PRs when ordered by relevance. <br>
Not looking at other keywords like "segfault" at this time.</p>



<a name="174631809"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174631809" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174631809">(Aug 31 2019 at 20:23)</a>:</h4>
<p><span aria-label="scream" class="emoji emoji-1f631" role="img" title="scream">:scream:</span></p>



<a name="174632316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174632316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174632316">(Aug 31 2019 at 20:38)</a>:</h4>
<p>Maybe we should make a habit of posting every advisory on Reddit to promote RustSec. So many vulns go unreported otherwise.</p>



<a name="174632493"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174632493" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174632493">(Aug 31 2019 at 20:44)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> I've noticed that I do not have permission to merge RustSec pull requests. Is that intentional?</p>



<a name="174632498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174632498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174632498">(Aug 31 2019 at 20:45)</a>:</h4>
<p>no, I just haven't done a proper team setup</p>



<a name="174632503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174632503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174632503">(Aug 31 2019 at 20:45)</a>:</h4>
<p>also wish we had GitHub Actions to automate this stuff. I should bug some people at GitHub about it</p>



<a name="174661118"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174661118" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174661118">(Sep 01 2019 at 13:04)</a>:</h4>
<p>Not sure what github actions are, but I could probably throw together a shell script to do that in 20 minutes or so</p>



<a name="174666084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174666084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174666084">(Sep 01 2019 at 15:36)</a>:</h4>
<p>haha uhh, I'd rather have something extensible/maintainable <span aria-label="stuck out tongue wink" class="emoji emoji-1f61c" role="img" title="stuck out tongue wink">:stuck_out_tongue_wink:</span></p>



<a name="174666095"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174666095" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174666095">(Sep 01 2019 at 15:37)</a>:</h4>
<p>something I've been thinking about doing is moving the Rust app that's presently in the <code>advisory-db</code> repo out into a separate CLI tool for performing administrative actions</p>



<a name="174666149"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174666149" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174666149">(Sep 01 2019 at 15:39)</a>:</h4>
<p>the other challenge is... credentials, if we want it to tweet, post to Reddit, etc</p>



<a name="174685783"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174685783" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174685783">(Sep 02 2019 at 02:02)</a>:</h4>
<p>finally filing <code>std</code> vulns: <a href="https://github.com/RustSec/advisory-db/pull/146" target="_blank" title="https://github.com/RustSec/advisory-db/pull/146">https://github.com/RustSec/advisory-db/pull/146</a></p>



<a name="174900419"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/174900419" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#174900419">(Sep 04 2019 at 16:55)</a>:</h4>
<p>oh boy <a href="https://github.com/RustSec/advisory-db/pull/149/files" target="_blank" title="https://github.com/RustSec/advisory-db/pull/149/files">https://github.com/RustSec/advisory-db/pull/149/files</a></p>



<a name="175176601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175176601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175176601">(Sep 08 2019 at 08:53)</a>:</h4>
<p>Aaand RustSec is now popular enough to be mentioned in memes: <a href="https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/" target="_blank" title="https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/">https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/</a></p>



<a name="175195289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195289">(Sep 08 2019 at 18:54)</a>:</h4>
<p>hah</p>



<a name="175195301"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195301" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195301">(Sep 08 2019 at 18:55)</a>:</h4>
<p>well I'm about ready to release <code>rustsec</code> crate v0.13</p>



<a name="175195304"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195304" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195304">(Sep 08 2019 at 18:55)</a>:</h4>
<p>just hooked it up to the web site generator and it spat out pages for the <code>std</code> vulns: <a href="https://rustsec.org/advisories/CVE-2019-12083.html" target="_blank" title="https://rustsec.org/advisories/CVE-2019-12083.html">https://rustsec.org/advisories/CVE-2019-12083.html</a></p>



<a name="175195356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195356">(Sep 08 2019 at 18:57)</a>:</h4>
<p>it's also displaying inverse dependency trees for the crates impacted by particular advisories ala <code>cargo-tree</code>:</p>



<a name="175195359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195359">(Sep 08 2019 at 18:57)</a>:</h4>
<p><a href="/user_uploads/4715/TVhN1dQtUZhE0UsFU-cam-m7/pasted_image.png" target="_blank" title="pasted_image.png">pasted image</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/TVhN1dQtUZhE0UsFU-cam-m7/pasted_image.png" target="_blank" title="pasted image"><img src="/user_uploads/4715/TVhN1dQtUZhE0UsFU-cam-m7/pasted_image.png"></a></div>



<a name="175195364"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175195364" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175195364">(Sep 08 2019 at 18:57)</a>:</h4>
<p>sadly there doesn't appear to be a good resolution for that one other than opening upstream issues or just hitting the API directly <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="175803360"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175803360" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175803360">(Sep 16 2019 at 11:26)</a>:</h4>
<blockquote>
<p>Aaand RustSec is now popular enough to be mentioned in memes: <a href="https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/" target="_blank" title="https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/">https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/</a></p>
</blockquote>
<p>it mentions Miri too &lt;3</p>



<a name="175803647"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175803647" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175803647">(Sep 16 2019 at 11:31)</a>:</h4>
<blockquote>
<p>oh boy <a href="https://github.com/RustSec/advisory-db/pull/149/files" target="_blank" title="https://github.com/RustSec/advisory-db/pull/149/files">https://github.com/RustSec/advisory-db/pull/149/files</a></p>
</blockquote>
<p>I am confused now... so we <em>are</em> filing advisories now for "de jure UB" without a known exploitatability?<br>
(Last time I asked, the answer I got was "generally no")</p>



<a name="175803739"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175803739" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175803739">(Sep 16 2019 at 11:33)</a>:</h4>
<p>(not to mention that ptr provenance rules are still not set down, so it's at best "experimental de jure UB")</p>



<a name="175879274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/175879274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#175879274">(Sep 17 2019 at 06:17)</a>:</h4>
<p>ah, it hasn't been merged yet</p>



<a name="176021151"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176021151" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176021151">(Sep 18 2019 at 16:28)</a>:</h4>
<p>I suggested not merging that one</p>



<a name="176380527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176380527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176380527">(Sep 23 2019 at 15:41)</a>:</h4>
<p>FYI, just cut a release of the <code>rustsec</code> crate v0.13.0: <a href="https://github.com/RustSec/rustsec-crate/pull/103" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/103">https://github.com/RustSec/rustsec-crate/pull/103</a></p>



<a name="176380532"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176380532" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176380532">(Sep 23 2019 at 15:41)</a>:</h4>
<p>lots of new stuff</p>



<a name="176380619"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176380619" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176380619">(Sep 23 2019 at 15:42)</a>:</h4>
<p><span class="user-mention" data-user-id="116009">@nikomatsakis</span> another thing we could potentially contribute a Team Blog post for is the next release of <code>cargo-audit</code> and the new features it will have. I don't think there's ever been a blog post about RustSec at all, so it'd be a good way to raise awareness</p>



<a name="176413635"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176413635" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176413635">(Sep 23 2019 at 22:01)</a>:</h4>
<p>Why are we not posting to Reddit for every new advisory anymore? We should.</p>



<a name="176413648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176413648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176413648">(Sep 23 2019 at 22:01)</a>:</h4>
<p>Also before I subscribed to RustSec repos I never appreciated how much work goes into RustSec</p>



<a name="176418209"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176418209" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176418209">(Sep 23 2019 at 23:15)</a>:</h4>
<p>anymore? I haven't done that in the past but it's a good idea</p>



<a name="176470816"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176470816" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176470816">(Sep 24 2019 at 14:48)</a>:</h4>
<p><code>cargo-audit</code> v0.9.0-beta2 is out: <a href="https://crates.io/crates/cargo-audit/0.9.0-beta2" target="_blank" title="https://crates.io/crates/cargo-audit/0.9.0-beta2">https://crates.io/crates/cargo-audit/0.9.0-beta2</a></p>



<a name="176470859"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176470859" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176470859">(Sep 24 2019 at 14:49)</a>:</h4>
<p>would appreciate if people could test it out a bit, otherwise I think it's ready to go</p>



<a name="176471549"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176471549" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176471549">(Sep 24 2019 at 14:55)</a>:</h4>
<p>What's new in this version?  It'll help in testing</p>



<a name="176472126"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176472126" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176472126">(Sep 24 2019 at 15:00)</a>:</h4>
<p>a number of features that aren't utilized yet, and a bunch of internal changes. but if you want something fancy you can see, check out the dependency trees</p>



<a name="176472150"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176472150" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176472150">(Sep 24 2019 at 15:00)</a>:</h4>
<p><a href="/user_uploads/4715/ldnZ1YWopV90b8vlsNHvkCkf/Screen-Shot-2019-09-24-at-7.50.11-AM.png" target="_blank" title="Screen-Shot-2019-09-24-at-7.50.11-AM.png">Screen-Shot-2019-09-24-at-7.50.11-AM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/ldnZ1YWopV90b8vlsNHvkCkf/Screen-Shot-2019-09-24-at-7.50.11-AM.png" target="_blank" title="Screen-Shot-2019-09-24-at-7.50.11-AM.png"><img src="/user_uploads/4715/ldnZ1YWopV90b8vlsNHvkCkf/Screen-Shot-2019-09-24-at-7.50.11-AM.png"></a></div>



<a name="176472187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176472187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176472187">(Sep 24 2019 at 15:01)</a>:</h4>
<p>need to put together a proper changelog <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="176505929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176505929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176505929">(Sep 24 2019 at 21:02)</a>:</h4>
<p>I think cargo-geiger and cargo-tree have basically the exact same thing... good opportunity for code sharing there</p>



<a name="176508345"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176508345" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176508345">(Sep 24 2019 at 21:30)</a>:</h4>
<p>the tree-rendering code that uses is a minification of <code>cargo-tree</code> that works on a <code>Cargo.lock</code> file rather than... well <code>cargo-tree</code> does a rather extensive analysis from <code>Cargo.toml</code></p>



<a name="176508401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176508401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176508401">(Sep 24 2019 at 21:31)</a>:</h4>
<p>based on <code>petgraph</code>, also ala <code>cargo-tree</code></p>



<a name="176508496"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176508496" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176508496">(Sep 24 2019 at 21:32)</a>:</h4>
<p><a href="https://github.com/RustSec/cargo-lock/blob/master/src/dependency/tree.rs" target="_blank" title="https://github.com/RustSec/cargo-lock/blob/master/src/dependency/tree.rs">https://github.com/RustSec/cargo-lock/blob/master/src/dependency/tree.rs</a></p>



<a name="176598368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176598368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176598368">(Sep 25 2019 at 19:35)</a>:</h4>
<p><code>cargo-audit</code> v0.9.0 is out <a href="https://twitter.com/RustSec/status/1176936445698691072" target="_blank" title="https://twitter.com/RustSec/status/1176936445698691072">https://twitter.com/RustSec/status/1176936445698691072</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/RustSec/status/1176936445698691072" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/825186818278584320/zVKr7DJa_normal.jpg"></a><p>We just released released v0.9.0 of cargo-audit: the RustSec Advisory DB client.

It has several new features including support for displaying inverse dependency trees which show how vulnerable crates are included in your project.

Full changelog here: <a href="https://t.co/7el7Ctnbh5" target="_blank" title="https://t.co/7el7Ctnbh5">https://github.com/RustSec/cargo-audit/blob/master/CHANGES.md#090-2019-09-25</a> <a href="https://t.co/NrgpdsoVUz" target="_blank" title="https://t.co/NrgpdsoVUz">https://twitter.com/RustSec/status/1176936445698691072/photo/1</a></p><span>- RustSec (@RustSec)</span><div class="twitter-image"><a href="https://t.co/NrgpdsoVUz" target="_blank" title="https://t.co/NrgpdsoVUz"><img src="https://pbs.twimg.com/media/EFVRdZSUYAAM2Pr.jpg:small"></a></div></div></div>



<a name="176615762"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176615762" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176615762">(Sep 25 2019 at 23:42)</a>:</h4>
<p>Ah, that explains why we suddenly started getting stack overflows when running cargo audit lol <a href="https://circleci.com/gh/mozilla/application-services/31924" target="_blank" title="https://circleci.com/gh/mozilla/application-services/31924">https://circleci.com/gh/mozilla/application-services/31924</a> (I'll file a bug about this tomorrow)</p>



<a name="176616274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176616274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176616274">(Sep 25 2019 at 23:53)</a>:</h4>
<p>haha, yeah a few bugs <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="176616362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176616362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176616362">(Sep 25 2019 at 23:55)</a>:</h4>
<p>Ended up filing it now: <a href="https://github.com/RustSec/cargo-audit/issues/133" target="_blank" title="https://github.com/RustSec/cargo-audit/issues/133">https://github.com/RustSec/cargo-audit/issues/133</a></p>



<a name="176617199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176617199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176617199">(Sep 26 2019 at 00:08)</a>:</h4>
<p><span class="user-mention" data-user-id="209168">@Thom Chiovoloni</span> reproed, thanks</p>



<a name="176624182"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176624182" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176624182">(Sep 26 2019 at 02:46)</a>:</h4>
<p><span class="user-mention" data-user-id="209168">@Thom Chiovoloni</span> I just released v0.9.1. Can you tell me if that fixes the problem? It did for me locally</p>



<a name="176660854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176660854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176660854">(Sep 26 2019 at 14:08)</a>:</h4>
<p>Seems to work, thanks</p>



<a name="176955657"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/176955657" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#176955657">(Sep 30 2019 at 17:49)</a>:</h4>
<p>this seems like the sort of vulnerability where it'd be nice if <code>cargo-audit</code> warned that you have a vulnerable version of the compiler activated: <a href="https://rustsec.org/advisories/CVE-2019-16760.html" target="_blank" title="https://rustsec.org/advisories/CVE-2019-16760.html">https://rustsec.org/advisories/CVE-2019-16760.html</a></p>



<a name="177178476"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177178476" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177178476">(Oct 02 2019 at 18:28)</a>:</h4>
<p><a href="https://github.com/RustSec/advisory-db/issues/173" target="_blank" title="https://github.com/RustSec/advisory-db/issues/173">https://github.com/RustSec/advisory-db/issues/173</a></p>



<a name="177178490"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177178490" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177178490">(Oct 02 2019 at 18:28)</a>:</h4>
<p>"File informational advisories for unmaintained crates "</p>



<a name="177259670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177259670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177259670">(Oct 03 2019 at 16:10)</a>:</h4>
<p>I opened a PR with a blog post about cargo-audit v0.9 if anyone would like to read it over before we publish it:</p>
<p>PR: <a href="https://github.com/rust-lang/blog.rust-lang.org/pull/412" target="_blank" title="https://github.com/rust-lang/blog.rust-lang.org/pull/412">https://github.com/rust-lang/blog.rust-lang.org/pull/412</a><br>
Rendered: <a href="https://github.com/rust-lang/blog.rust-lang.org/blob/bc83123b66940c3da405a7c9b6110c55987c6832/posts/inside-rust/2019-10-03-Keeping-secure-with-cargo-audit-0.9.md" target="_blank" title="https://github.com/rust-lang/blog.rust-lang.org/blob/bc83123b66940c3da405a7c9b6110c55987c6832/posts/inside-rust/2019-10-03-Keeping-secure-with-cargo-audit-0.9.md">https://github.com/rust-lang/blog.rust-lang.org/blob/bc83123b66940c3da405a7c9b6110c55987c6832/posts/inside-rust/2019-10-03-Keeping-secure-with-cargo-audit-0.9.md</a></p>



<a name="177262346"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177262346" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177262346">(Oct 03 2019 at 16:39)</a>:</h4>
<p>nm I guess it's already up! <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span> <a href="https://blog.rust-lang.org/inside-rust/2019/10/03/Keeping-secure-with-cargo-audit-0.9.html" target="_blank" title="https://blog.rust-lang.org/inside-rust/2019/10/03/Keeping-secure-with-cargo-audit-0.9.html">https://blog.rust-lang.org/inside-rust/2019/10/03/Keeping-secure-with-cargo-audit-0.9.html</a></p>



<a name="177421725"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177421725" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177421725">(Oct 05 2019 at 16:41)</a>:</h4>
<p><a href="/user_uploads/4715/NmNLgadt8dn2mAatMd3sKugf/Screen-Shot-2019-10-05-at-9.41.00-AM.png" target="_blank" title="Screen-Shot-2019-10-05-at-9.41.00-AM.png">Screen-Shot-2019-10-05-at-9.41.00-AM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/NmNLgadt8dn2mAatMd3sKugf/Screen-Shot-2019-10-05-at-9.41.00-AM.png" target="_blank" title="Screen-Shot-2019-10-05-at-9.41.00-AM.png"><img src="/user_uploads/4715/NmNLgadt8dn2mAatMd3sKugf/Screen-Shot-2019-10-05-at-9.41.00-AM.png"></a></div>



<a name="177421733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177421733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177421733">(Oct 05 2019 at 16:41)</a>:</h4>
<p>blog post seems to have succeeded in increasing downloads <span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span></p>



<a name="177470319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177470319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177470319">(Oct 06 2019 at 18:03)</a>:</h4>
<p>We already have an advisory for <code>ncurses</code> crate (<a href="https://github.com/RustSec/advisory-db/pull/107" target="_blank" title="https://github.com/RustSec/advisory-db/pull/107">https://github.com/RustSec/advisory-db/pull/107</a>) because of format string vulnerabilities, but I've recently learned that nearly every single function in it is broken (<a href="https://github.com/jeaye/ncurses-rs/issues/188" target="_blank" title="https://github.com/jeaye/ncurses-rs/issues/188">https://github.com/jeaye/ncurses-rs/issues/188</a>). Should I file another advisory saying "EVERYTHING EXPLODES"?</p>



<a name="177532472"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177532472" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177532472">(Oct 07 2019 at 15:50)</a>:</h4>
<p>Yeah, the reason I didn't fix the specific issues in the ncurses crate (e.g. filing a PR that marked the clearly-never-sound-to-use parts of the API as <code>unsafe</code>) when i filed the advisory is because basically every rtime i stared for more than a few minutes at its fucntions i'd find new problems</p>



<a name="177547334"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177547334" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177547334">(Oct 07 2019 at 18:40)</a>:</h4>
<p>hahaha</p>



<a name="177743389"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177743389" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177743389">(Oct 09 2019 at 18:40)</a>:</h4>
<p>Neat: <a href="https://github.com/actions-rs/audit-check/" target="_blank" title="https://github.com/actions-rs/audit-check/">https://github.com/actions-rs/audit-check/</a></p>



<a name="177765379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177765379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177765379">(Oct 09 2019 at 23:29)</a>:</h4>
<p>RustSec advisories for unmaintained crates are getting attention now: <a href="https://www.reddit.com/r/rust/comments/dfm3ya/there_are_231_crates_which_might_depend_on_this/" target="_blank" title="https://www.reddit.com/r/rust/comments/dfm3ya/there_are_231_crates_which_might_depend_on_this/">https://www.reddit.com/r/rust/comments/dfm3ya/there_are_231_crates_which_might_depend_on_this/</a></p>



<a name="177765451"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177765451" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177765451">(Oct 09 2019 at 23:30)</a>:</h4>
<p>err, is that the right link?</p>



<a name="177765470"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177765470" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177765470">(Oct 09 2019 at 23:30)</a>:</h4>
<p>It is now!</p>



<a name="177765521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/177765521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#177765521">(Oct 09 2019 at 23:31)</a>:</h4>
<p>haha nice!</p>



<a name="178001270"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178001270" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178001270">(Oct 12 2019 at 18:39)</a>:</h4>
<p>Another rustsec-based tool: <a href="https://www.reddit.com/r/rust/comments/dgz1ci/announcing_cargoaudittags/" target="_blank" title="https://www.reddit.com/r/rust/comments/dgz1ci/announcing_cargoaudittags/">https://www.reddit.com/r/rust/comments/dgz1ci/announcing_cargoaudittags/</a></p>



<a name="178003619"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178003619" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178003619">(Oct 12 2019 at 19:45)</a>:</h4>
<p>nice. also here's someone who posted a vuln to Reddit <a href="https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/" target="_blank" title="https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/">https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/</a></p>



<a name="178005037"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005037" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005037">(Oct 12 2019 at 20:24)</a>:</h4>
<p>Is there a plan to take over rust-crypto? I could form a team unrelated to this wg that could maintain it</p>



<a name="178005459"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005459" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005459">(Oct 12 2019 at 20:36)</a>:</h4>
<p>personally I'd rather just let it die and be replaced by modern alternatives</p>



<a name="178005534"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005534" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005534">(Oct 12 2019 at 20:38)</a>:</h4>
<p>it has so many issues, both as a legacy pre Rust 1.0 codebase, and just in terms of its overall design (and violating the CryptoCoding design principles like separating safe crypto APIs from "shoot yourself in the foot" APIs) I'd consider it fairly unsalvagable</p>



<a name="178005610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005610">(Oct 12 2019 at 20:40)</a>:</h4>
<p><a href="https://arxiv.org/pdf/1806.04929.pdf" target="_blank" title="https://arxiv.org/pdf/1806.04929.pdf">https://arxiv.org/pdf/1806.04929.pdf</a></p>



<a name="178005638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005638">(Oct 12 2019 at 20:41)</a>:</h4>
<p>see section 6 in particular</p>



<a name="178005639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005639">(Oct 12 2019 at 20:41)</a>:</h4>
<p>things like this:</p>



<a name="178005640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178005640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178005640">(Oct 12 2019 at 20:41)</a>:</h4>
<blockquote>
<p>11) Hide low-level APIs in a separate API layer called<br>
"hazardous materials". By naming it like this, developers take notice that they might be doing something<br>
dangerous.</p>
</blockquote>



<a name="178006162"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178006162" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178006162">(Oct 12 2019 at 20:57)</a>:</h4>
<p>Ah makes sense. Better then to spend efforts on going through it's reverse dependencies and suggesting them alternatives. Thanks</p>



<a name="178008304"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178008304" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178008304">(Oct 12 2019 at 21:59)</a>:</h4>
<p>yup! and hopefully the unmaintained crate advisory helps that process happen organically</p>



<a name="178561553"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178561553" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178561553">(Oct 19 2019 at 20:16)</a>:</h4>
<p>just noticed cargo-audit is the <a href="https://github.com/rust-lang/rust/issues/1" target="_blank" title="https://github.com/rust-lang/rust/issues/1">#1</a> cargo plugin by recent downloads <a href="https://crates.io/categories/development-tools::cargo-plugins" target="_blank" title="https://crates.io/categories/development-tools::cargo-plugins">https://crates.io/categories/development-tools::cargo-plugins</a></p>



<a name="178561554"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178561554" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178561554">(Oct 19 2019 at 20:16)</a>:</h4>
<p><a href="https://github.com/rust-lang/rust/issues/4" target="_blank" title="https://github.com/rust-lang/rust/issues/4">#4</a> by all-time downloads</p>



<a name="178865864"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178865864" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178865864">(Oct 23 2019 at 15:34)</a>:</h4>
<p><a href="https://github.com/abonander/safemem/issues/7" target="_blank" title="https://github.com/abonander/safemem/issues/7">https://github.com/abonander/safemem/issues/7</a></p>



<a name="178865974"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178865974" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178865974">(Oct 23 2019 at 15:36)</a>:</h4>
<p>WDYT re: an advisory? I'm leaning towards yes, although I'm a little unclear on exploitability</p>



<a name="178875271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178875271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178875271">(Oct 23 2019 at 17:14)</a>:</h4>
<p>This allows access to an uninitialized &amp;[T] where T: Copy? Not sure, that doesn't feel exploitable at all to me.</p>



<a name="178875850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178875850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178875850">(Oct 23 2019 at 17:21)</a>:</h4>
<p>here's the actual advisory PR if anyone wants to leave a comment: <a href="https://github.com/RustSec/advisory-db/pull/198" target="_blank" title="https://github.com/RustSec/advisory-db/pull/198">https://github.com/RustSec/advisory-db/pull/198</a></p>



<a name="178875865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178875865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178875865">(Oct 23 2019 at 17:21)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> <span class="user-mention" data-user-id="127617">@Shnatsel</span> any thoughts on ^^^ ?</p>



<a name="178875880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178875880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178875880">(Oct 23 2019 at 17:21)</a>:</h4>
<p>or <span class="user-mention" data-user-id="130046">@Alex Gaynor</span></p>



<a name="178882271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178882271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178882271">(Oct 23 2019 at 18:29)</a>:</h4>
<p>thanks for looking <span class="user-mention" data-user-id="120791">@RalfJ</span></p>



<a name="178997643"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178997643" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178997643">(Oct 24 2019 at 21:07)</a>:</h4>
<p><a href="https://twitter.com/naftulikay/status/1187128722664517632" target="_blank" title="https://twitter.com/naftulikay/status/1187128722664517632">https://twitter.com/naftulikay/status/1187128722664517632</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/naftulikay/status/1187128722664517632" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/940480286717906944/NMp4pC4u_normal.jpg"></a><p>.<a href="https://twitter.com/travisci" target="_blank" title="https://twitter.com/travisci">@travisci</a> I wanted to contribute adding cargo-audit to the Travis CI <a href="https://twitter.com/rustlang" target="_blank" title="https://twitter.com/rustlang">@rustlang</a> build environment but I'm not sure where to get started. Where does the code live for creating the build environment?</p><span>- Naftuli Kay (@naftulikay)</span></div></div>



<a name="178997724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178997724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178997724">(Oct 24 2019 at 21:08)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> ^^^ seems like the best way to fix Travis CI</p>



<a name="178997732"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/178997732" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#178997732">(Oct 24 2019 at 21:08)</a>:</h4>
<p>and ooh <a href="https://twitter.com/fedor/status/1187178265464791040" target="_blank" title="https://twitter.com/fedor/status/1187178265464791040">https://twitter.com/fedor/status/1187178265464791040</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/fedor/status/1187178265464791040" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/640672034020679681/kxzWT48N_normal.jpg"></a><p><a href="https://twitter.com/naftulikay" target="_blank" title="https://twitter.com/naftulikay">@naftulikay</a> <a href="https://twitter.com/travisci" target="_blank" title="https://twitter.com/travisci">@travisci</a> <a href="https://twitter.com/rustlang" target="_blank" title="https://twitter.com/rustlang">@rustlang</a> Seems this is what you are looking for <a href="https://t.co/E9pA3AJXp8" target="_blank" title="https://t.co/E9pA3AJXp8">https://github.com/travis-ci/travis-build/blob/100d373caf54e701307d40e8c4d358394237e0f6/lib/travis/build/script/rust.rb</a></p><span>- Fedor Korotkov (@fedor)</span></div></div>



<a name="179019587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179019587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179019587">(Oct 25 2019 at 03:47)</a>:</h4>
<p>That'd definitely be a neat solution.</p>



<a name="179021687"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179021687" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179021687">(Oct 25 2019 at 04:50)</a>:</h4>
<p>(deleted)</p>



<a name="179184325"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184325" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184325">(Oct 27 2019 at 19:53)</a>:</h4>
<p>heh, there are now two (more or less competing) PRs for a <code>cargo audit fix</code> command</p>



<a name="179184329"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184329" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184329">(Oct 27 2019 at 19:53)</a>:</h4>
<p>which more or less take the same strategy: pull in <code>cargo-edit</code> as a library</p>



<a name="179184374"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184374" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184374">(Oct 27 2019 at 19:54)</a>:</h4>
<p>Neat. It seems like a pretty sensible strategy</p>



<a name="179184382"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184382" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184382">(Oct 27 2019 at 19:54)</a>:</h4>
<p>yeah, and we can put it under a <code>fix</code> feature or something if people want faster compile times</p>



<a name="179184452"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184452" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184452">(Oct 27 2019 at 19:56)</a>:</h4>
<p>it's kind of cool, I think they both implement the minimum viable KISS solution to upgrade the project: take the fixed version req and tell <code>cargo-edit</code> "upgrade to that"</p>



<a name="179184461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184461">(Oct 27 2019 at 19:57)</a>:</h4>
<p>which should... hopefully pull in the most recent version that's compatible</p>



<a name="179184468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/179184468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#179184468">(Oct 27 2019 at 19:57)</a>:</h4>
<p>and implementation-wise they're both tiny</p>



<a name="181866832"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/181866832" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#181866832">(Nov 25 2019 at 21:48)</a>:</h4>
<p><a href="https://github.com/hyperium/http/issues/354" target="_blank" title="https://github.com/hyperium/http/issues/354">https://github.com/hyperium/http/issues/354</a> - this deserves an advisory. If one is not opened by maintainers in the next 24 hours we should look into it</p>



<a name="181888944"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/181888944" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#181888944">(Nov 26 2019 at 04:22)</a>:</h4>
<p>whoa, indeed</p>



<a name="181888978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/181888978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#181888978">(Nov 26 2019 at 04:23)</a>:</h4>
<p>I evaluated using some of the types from that crate in a barebones HTTP library I wrote (for talking to HSMs in a high security context) and uhh, yeah...</p>



<a name="181889025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/181889025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#181889025">(Nov 26 2019 at 04:24)</a>:</h4>
<p>I like the goals of that crate</p>



<a name="181889031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/181889031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#181889031">(Nov 26 2019 at 04:24)</a>:</h4>
<p>but felt like way too much <code>unsafe</code></p>



<a name="182065165"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182065165" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182065165">(Nov 27 2019 at 22:44)</a>:</h4>
<p>this looks cool <a href="https://github.com/calibra/cargo-guppy" target="_blank" title="https://github.com/calibra/cargo-guppy">https://github.com/calibra/cargo-guppy</a></p>



<a name="182065294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182065294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182065294">(Nov 27 2019 at 22:46)</a>:</h4>
<p>This also looks cool: <a href="https://github.com/tokio-rs/bytes/issues/328" target="_blank" title="https://github.com/tokio-rs/bytes/issues/328">https://github.com/tokio-rs/bytes/issues/328</a><br>
Subtle UB that was discovered and posted on Reddit a few days ago. I created a rustc issue to document it better, and now turns out you can do UB in safe code with <code>bytes</code> crate</p>



<a name="182067989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182067989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182067989">(Nov 27 2019 at 23:30)</a>:</h4>
<p>oof</p>



<a name="182068033"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182068033" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182068033">(Nov 27 2019 at 23:31)</a>:</h4>
<p>welp, if the whole Rust ecosystem upgrades because of a bytes vuln... seems good, heh</p>



<a name="182070889"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182070889" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182070889">(Nov 28 2019 at 00:12)</a>:</h4>
<p>It's not a vuln per se - you need to write something pretty contrived for that to actually be an issue. I wonder how to handle that in RustSec</p>



<a name="182075794"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182075794" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182075794">(Nov 28 2019 at 01:59)</a>:</h4>
<p>sounds like the <code>memoffset</code> vuln</p>



<a name="182105159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182105159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182105159">(Nov 28 2019 at 12:38)</a>:</h4>
<blockquote>
<p>This also looks cool: <a href="https://github.com/tokio-rs/bytes/issues/328" target="_blank" title="https://github.com/tokio-rs/bytes/issues/328">https://github.com/tokio-rs/bytes/issues/328</a><br>
Subtle UB that was discovered and posted on Reddit a few days ago. I created a rustc issue to document it better, and now turns out you can do UB in safe code with <code>bytes</code> crate</p>
</blockquote>
<p>do you have links to the original conversaion? I checked the issue you created, no link there either. it's always nice to be able to get more context.</p>



<a name="182142949"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182142949" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182142949">(Nov 29 2019 at 00:25)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> here is the original conversation: <a href="https://www.reddit.com/r/rust/comments/e0pivs/psa_casting_from_mut_t_to_mut_maybeuninitt_is_not/" target="_blank" title="https://www.reddit.com/r/rust/comments/e0pivs/psa_casting_from_mut_t_to_mut_maybeuninitt_is_not/">https://www.reddit.com/r/rust/comments/e0pivs/psa_casting_from_mut_t_to_mut_maybeuninitt_is_not/</a><br>
I was sure I've included it in the report... well, I sure intended to.</p>



<a name="182195414"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182195414" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182195414">(Nov 29 2019 at 18:05)</a>:</h4>
<p>happens ;) thanks!</p>



<a name="182195430"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/182195430" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#182195430">(Nov 29 2019 at 18:05)</a>:</h4>
<blockquote>
<p>since &amp;mut T is already initialized, casting it to &amp;mut MaybeUninit&lt;T&gt; can't cause harm, right?</p>
</blockquote>
<p>that's exactly what I suspected... this is literally covariance of <code>&amp;mut</code></p>



<a name="183255170"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183255170" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183255170">(Dec 12 2019 at 12:49)</a>:</h4>
<p>I'm still sick so can't do anything particularly useful at the moment. Browsing bug trackers out of nothing else to do. <a href="https://github.com/image-rs/canvas/issues/6" target="_blank" title="https://github.com/image-rs/canvas/issues/6">https://github.com/image-rs/canvas/issues/6</a> - this is actually a bug in zerocopy, should it get a RustSec advisory?</p>



<a name="183255249"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183255249" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183255249">(Dec 12 2019 at 12:50)</a>:</h4>
<p>Sounds like it.</p>



<a name="183255513"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183255513" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183255513">(Dec 12 2019 at 12:54)</a>:</h4>
<p>OK, I might get around to it once I recover, if anyone beats me to it I'll be glad</p>



<a name="183329339"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183329339" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183329339">(Dec 13 2019 at 05:10)</a>:</h4>
<p>blah a lot of "to files"</p>



<a name="183329356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183329356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183329356">(Dec 13 2019 at 05:10)</a>:</h4>
<p>this was fun, heh <a href="https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c" target="_blank" title="https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c">https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c</a></p>



<a name="183329359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183329359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183329359">(Dec 13 2019 at 05:11)</a>:</h4>
<p>not sure it deserves an advisory per se</p>



<a name="183329362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/183329362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#183329362">(Dec 13 2019 at 05:11)</a>:</h4>
<p>but an interesting story</p>



<a name="184271691"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184271691" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184271691">(Dec 26 2019 at 17:11)</a>:</h4>
<blockquote>
<p>this was fun, heh <a href="https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c" target="_blank" title="https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c">https://github.com/tokio-rs/bytes/commit/17a8ac91e078532e0cbbe15234d84ef2e4543f7c</a></p>
</blockquote>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> that sounds odd... indeed it doesnt return a heap allocation but it should still be sufficiently aligned (as in, as aligned as the type requires)?</p>



<a name="184271745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184271745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184271745">(Dec 26 2019 at 17:12)</a>:</h4>
<p>or does that code (incorrectly!) assume that e.g. <code>Box&lt;u8&gt;</code> is aligned in any particular way?</p>



<a name="184286624"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184286624" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184286624">(Dec 26 2019 at 22:36)</a>:</h4>
<p>It assumes that the address returned from the memory allocator cannot be odd and uses that last bit for its own signaling purposes</p>



<a name="184286689"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184286689" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184286689">(Dec 26 2019 at 22:38)</a>:</h4>
<p>If you expand the code below the diff you'll see <code>let data = ptr as usize | KIND_VEC;</code> - that's the most interesting part</p>



<a name="184286775"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184286775" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184286775">(Dec 26 2019 at 22:40)</a>:</h4>
<p>More background and discussion of the issue here: <a href="https://github.com/tokio-rs/bytes/issues/343" target="_blank" title="https://github.com/tokio-rs/bytes/issues/343">https://github.com/tokio-rs/bytes/issues/343</a></p>



<a name="184499667"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184499667" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184499667">(Dec 30 2019 at 20:49)</a>:</h4>
<blockquote>
<p>It assumes that the address returned from the memory allocator cannot be odd and uses that last bit for its own signaling purposes</p>
</blockquote>
<p>yeah that's incorrect -- but they fixed that since then</p>



<a name="184758695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184758695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184758695">(Jan 03 2020 at 19:04)</a>:</h4>
<p>RustSec stats: 2016 - 2019: <a href="https://twitter.com/RustSec/status/1213173115041267712" target="_blank" title="https://twitter.com/RustSec/status/1213173115041267712">https://twitter.com/RustSec/status/1213173115041267712</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/RustSec/status/1213173115041267712" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/825186818278584320/zVKr7DJa_normal.jpg"></a><p>A look at the number of vulnerabilities filed in the RustSec Advisory Database: 2016-2019 <a href="https://t.co/uTm4e4ZcMe" target="_blank" title="https://t.co/uTm4e4ZcMe">https://twitter.com/RustSec/status/1213173115041267712/photo/1</a></p><span>- RustSec (@RustSec)</span><div class="twitter-image"><a href="https://t.co/uTm4e4ZcMe" target="_blank" title="https://t.co/uTm4e4ZcMe"><img src="https://pbs.twimg.com/media/ENYOhF9XsAEihZD.jpg:thumb"></a></div></div></div>



<a name="184766300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184766300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184766300">(Jan 03 2020 at 20:45)</a>:</h4>
<p>We'd have a lot more bugs in stdlib discovered if anyone were actually looking</p>



<a name="184766312"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184766312" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184766312">(Jan 03 2020 at 20:45)</a>:</h4>
<p><a href="https://github.com/Eh2406/auto-fuzz-test" target="_blank" title="https://github.com/Eh2406/auto-fuzz-test">https://github.com/Eh2406/auto-fuzz-test</a> could help here a lot</p>



<a name="184807123"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184807123" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184807123">(Jan 04 2020 at 14:55)</a>:</h4>
<p>CVEs in bundled libs is a whole new source of RustSec advisories. Here's an example: <a href="https://github.com/alexcrichton/curl-rust/issues/275" target="_blank" title="https://github.com/alexcrichton/curl-rust/issues/275">https://github.com/alexcrichton/curl-rust/issues/275</a></p>



<a name="184807348"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/184807348" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#184807348">(Jan 04 2020 at 15:00)</a>:</h4>
<p>fun times. this is going to be great with e.g. <code>git2</code> + <code>vendored-openssl</code></p>



<a name="185436085"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185436085" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185436085">(Jan 12 2020 at 14:17)</a>:</h4>
<p>fun new feature: <code>cargo audit</code> can now warn for yanked crates in your Cargo.lock: <a href="https://github.com/RustSec/cargo-audit/pull/180" target="_blank" title="https://github.com/RustSec/cargo-audit/pull/180">https://github.com/RustSec/cargo-audit/pull/180</a></p>



<a name="185822281"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822281" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822281">(Jan 16 2020 at 15:03)</a>:</h4>
<p>Remote DoS (stack overflow) in Prost via attacker-controlled data: <a href="https://github.com/danburkert/prost/issues/267" target="_blank" title="https://github.com/danburkert/prost/issues/267">https://github.com/danburkert/prost/issues/267</a></p>



<a name="185822350"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822350" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822350">(Jan 16 2020 at 15:04)</a>:</h4>
<p>/me wonders where we're at on that being a soundness violation on certain platforms <span aria-label="grimacing" class="emoji emoji-1f62c" role="img" title="grimacing">:grimacing:</span></p>



<a name="185822363"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822363" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822363">(Jan 16 2020 at 15:04)</a>:</h4>
<p>I know there are stack probes to prevent it on x86/x86_64</p>



<a name="185822372"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822372" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822372">(Jan 16 2020 at 15:04)</a>:</h4>
<p>but what else? does that work on e.g. ARM?</p>



<a name="185822377"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822377" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822377">(Jan 16 2020 at 15:04)</a>:</h4>
<p>/me suddenly cares a lot about ARM, heh</p>



<a name="185822877"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822877" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822877">(Jan 16 2020 at 15:09)</a>:</h4>
<p>I think it may be unsound on embedded ARM, but on the likes of raspberry pi where you're running on Linux I hope it will still put the guard page in there</p>



<a name="185822892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185822892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185822892">(Jan 16 2020 at 15:09)</a>:</h4>
<p>you'd better double-check though</p>



<a name="185830132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185830132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185830132">(Jan 16 2020 at 16:16)</a>:</h4>
<p>CPU I'm concerned with is a non-RasPi Cortex-A</p>



<a name="185830173"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185830173" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185830173">(Jan 16 2020 at 16:16)</a>:</h4>
<p>(32-bit)</p>



<a name="185830224"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185830224" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185830224">(Jan 16 2020 at 16:16)</a>:</h4>
<p>USB armory <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span> <a href="https://github.com/iqlusioninc/usbarmory.rs" target="_blank" title="https://github.com/iqlusioninc/usbarmory.rs">https://github.com/iqlusioninc/usbarmory.rs</a></p>



<a name="185830775"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185830775" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185830775">(Jan 16 2020 at 16:21)</a>:</h4>
<p>re: stack probes <a href="https://github.com/rust-lang/rust/issues/43241" target="_blank" title="https://github.com/rust-lang/rust/issues/43241">https://github.com/rust-lang/rust/issues/43241</a></p>



<a name="185847326"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/185847326" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#185847326">(Jan 16 2020 at 19:00)</a>:</h4>
<p><em>mumble mumble ss segment limit</em></p>



<a name="186422690"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/186422690" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#186422690">(Jan 23 2020 at 19:02)</a>:</h4>
<p>FYI, <code>cargo audit</code> v0.11 is out. I wrote a blog post about the new features here: <a href="https://github.com/rust-lang/blog.rust-lang.org/pull/495" target="_blank" title="https://github.com/rust-lang/blog.rust-lang.org/pull/495">https://github.com/rust-lang/blog.rust-lang.org/pull/495</a></p>



<a name="186447866"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/186447866" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#186447866">(Jan 23 2020 at 23:31)</a>:</h4>
<p>post is up here: <a href="https://blog.rust-lang.org/inside-rust/2020/01/23/Introducing-cargo-audit-fix-and-more.html" target="_blank" title="https://blog.rust-lang.org/inside-rust/2020/01/23/Introducing-cargo-audit-fix-and-more.html">https://blog.rust-lang.org/inside-rust/2020/01/23/Introducing-cargo-audit-fix-and-more.html</a></p>



<a name="187727005"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/187727005" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#187727005">(Feb 08 2020 at 18:40)</a>:</h4>
<p><code>cargo-deny</code> integrates with <code>rustsec</code>, has nice things to say about it: <a href="https://github.com/Jake-Shadle/talks/blob/master/deny/slides.md#advisories" target="_blank" title="https://github.com/Jake-Shadle/talks/blob/master/deny/slides.md#advisories">https://github.com/Jake-Shadle/talks/blob/master/deny/slides.md#advisories</a><br>
(These are slides from a FOSDEM presentation)</p>



<a name="187727013"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/187727013" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#187727013">(Feb 08 2020 at 18:41)</a>:</h4>
<p>their ignores are quite shaky in the sense that they ignore all problems with a particular crate, as opposed to a particular problem</p>



<a name="187731136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/187731136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#187731136">(Feb 08 2020 at 20:55)</a>:</h4>
<p>Also, a use-after-free in crossbeam has been discovered: <a href="https://github.com/crossbeam-rs/crossbeam/issues/238" target="_blank" title="https://github.com/crossbeam-rs/crossbeam/issues/238">https://github.com/crossbeam-rs/crossbeam/issues/238</a><br>
....a very long time ago, wow</p>



<a name="188287023"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/188287023" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#188287023">(Feb 15 2020 at 15:14)</a>:</h4>
<p>oof</p>



<a name="188343842"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/188343842" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#188343842">(Feb 16 2020 at 23:34)</a>:</h4>
<p>Just leaving this here for later follow-up - another vuln that should be in the rustsec DB: <a href="https://github.com/Nebulosus/shamir/issues/3" target="_blank" title="https://github.com/Nebulosus/shamir/issues/3">https://github.com/Nebulosus/shamir/issues/3</a></p>



<a name="188362998"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/188362998" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#188362998">(Feb 17 2020 at 09:23)</a>:</h4>
<p>speaking of crossbeam, here's another piece of UB (not sure if exploitable): <a href="https://github.com/crossbeam-rs/crossbeam/issues/468" target="_blank" title="https://github.com/crossbeam-rs/crossbeam/issues/468">https://github.com/crossbeam-rs/crossbeam/issues/468</a></p>



<a name="188486194"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/188486194" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#188486194">(Feb 18 2020 at 20:05)</a>:</h4>
<p>(deleted)</p>



<a name="190794137"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190794137" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190794137">(Mar 16 2020 at 23:51)</a>:</h4>
<p>FYI, some more traction on outside collaboration in <code>rustsec</code> and <code>cargo-audit</code>. Love it <a href="https://github.com/RustSec/rustsec-crate/pull/156#issuecomment-599807817" target="_blank" title="https://github.com/RustSec/rustsec-crate/pull/156#issuecomment-599807817">https://github.com/RustSec/rustsec-crate/pull/156#issuecomment-599807817</a></p>



<a name="190927607"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927607" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190927607">(Mar 18 2020 at 00:18)</a>:</h4>
<p>somebody (not sure who) has opened MITRE CVEs for all RustSec advisories: <a href="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust" target="_blank" title="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust">https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust</a><br>
this list is linked in the paper</p>



<a name="190927965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190927965">(Mar 18 2020 at 00:26)</a>:</h4>
<p>fantastic!</p>



<a name="190928053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190928053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190928053">(Mar 18 2020 at 00:28)</a>:</h4>
<p>they all just link to <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a> too, without further details, so rustsec db is still the source of truth</p>



<a name="190928091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190928091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190928091">(Mar 18 2020 at 00:29)</a>:</h4>
<p>Now to make RustSec DB entries link to CVEs... I wonder if there's an API for CVEs? If so looks straightforward. Wouldn't want to build a web scraper though.</p>



<a name="190928298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190928298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190928298">(Mar 18 2020 at 00:33)</a>:</h4>
<p>yeah I can figure it out</p>



<a name="190964455"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190964455" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190964455">(Mar 18 2020 at 10:56)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927607" title="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927607">said</a>:</p>
<blockquote>
<p>somebody (not sure who) has opened MITRE CVEs for all RustSec advisories: <a href="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust" target="_blank" title="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust">https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust</a><br>
this list is linked in the paper</p>
</blockquote>
<p>so unsound public APIs in a lib (but not exploitable in any known end-user app) now generate CVEs?<br>
sounds good, OTOH this will totally destroys any statistics that tries to compare Rust with other languages by looking at number of CVEs.^^</p>



<a name="190967007"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190967007" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190967007">(Mar 18 2020 at 11:27)</a>:</h4>
<p>Apparently yes! Or at least they've been generated up to this point, not sure about future bugs of this kind.<br>
Number of CVEs is a rather poor measure of security because e.g. for C code they're wildly under-reported</p>



<a name="190979897"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190979897" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#190979897">(Mar 18 2020 at 13:34)</a>:</h4>
<p>Huh. RustSec has _extra_ legit CVEs, not DWF/iwantacve.org ones. Interesting.</p>



<a name="191003898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191003898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#191003898">(Mar 18 2020 at 16:14)</a>:</h4>
<p>huh</p>



<a name="191004727"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191004727" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#191004727">(Mar 18 2020 at 16:19)</a>:</h4>
<p>I've updated RustSec advisories with CVE links: <a href="https://github.com/RustSec/advisory-db/pull/245" target="_blank" title="https://github.com/RustSec/advisory-db/pull/245">https://github.com/RustSec/advisory-db/pull/245</a></p>



<a name="191004903"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191004903" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#191004903">(Mar 18 2020 at 16:21)</a>:</h4>
<p>whoa, awesome! thanks!</p>



<a name="191005483"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191005483" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#191005483">(Mar 18 2020 at 16:25)</a>:</h4>
<p>It was a nice excuse to exercise my shell-fu</p>



<a name="191194855"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191194855" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#191194855">(Mar 20 2020 at 01:24)</a>:</h4>
<p>I'm currently a member of RustSec org on github but don't have the power to merge PRs. Is that intentional?</p>



<a name="192327734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192327734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192327734">(Mar 30 2020 at 22:56)</a>:</h4>
<p>Wow, that's a doozy: <a href="https://github.com/RustSec/advisory-db/pull/255" title="https://github.com/RustSec/advisory-db/pull/255">https://github.com/RustSec/advisory-db/pull/255</a><br>
I'll have to make a Reddit post about this one.</p>



<a name="192454665"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192454665" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192454665">(Mar 31 2020 at 21:51)</a>:</h4>
<p>I mean it seems like a pretty niche vulnerability. I'm... not sure you do. It's not like most users would be exposed to it, and it seems liable just to generate hostility/toxicity</p>



<a name="192458617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192458617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192458617">(Mar 31 2020 at 21:59)</a>:</h4>
<p>I've watched a DEFCON talk about this kind of vulnerabilities and it didn't seem niche to me. Most production deployments have a load balancer in front of them and so would be affected, since the two implementations have different view of where one request ends and another begins</p>



<a name="192458674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192458674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192458674">(Mar 31 2020 at 21:59)</a>:</h4>
<p>But perhaps I'm misunderstanding or missing something. I'd love to hear from maintainers, and already replied on the relevant issue notifying them of the vulnerability report and asking for more info.</p>



<a name="192464738"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192464738" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192464738">(Mar 31 2020 at 23:08)</a>:</h4>
<p>Resource smuggling is typically exploitable in a proxy setting, especially if presented like this. Imagine a (correctly behaving) proxy aggregates requests from multiple users to a single connection into the backend. Through this vulnerability, client A can interfere with the requests of client B. Typically this involves then crafting just the right body so that client B's headers are used for a request of client A, i.e. temporarily take over their credentials.</p>



<a name="192557113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192557113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192557113">(Apr 01 2020 at 16:44)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190964455" title="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190964455">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927607" title="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/190927607">said</a>:</p>
<blockquote>
<p>somebody (not sure who) has opened MITRE CVEs for all RustSec advisories: <a href="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust" title="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust">https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust</a><br>
this list is linked in the paper</p>
</blockquote>
<p>so unsound public APIs in a lib (but not exploitable in any known end-user app) now generate CVEs?<br>
sounds good, OTOH this will totally destroys any statistics that tries to compare Rust with other languages by looking at number of CVEs.^^</p>
</blockquote>
<p>looks like I am not the only one who is concerned about that: <a href="https://boats.gitlab.io/blog/post/vulnerabilities/" title="https://boats.gitlab.io/blog/post/vulnerabilities/">https://boats.gitlab.io/blog/post/vulnerabilities/</a></p>



<a name="192559215"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192559215" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192559215">(Apr 01 2020 at 16:58)</a>:</h4>
<p>Ultimately, all a CVE identifier means is "There is some code that could pose a security vulnerability in some context. Here's an identifier to refer to it".<br>
However, there is a system on top of it called CVSS that tries to gauge how severe a given vulnerability is - which includes what kind of access you need to have to exploit it. I don't recall ever entering it for any CVEs I applied for, yet it seems to be attached to Rust CVEs somehow. They look incorrect and quite random to me.</p>



<a name="192602880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192602880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192602880">(Apr 01 2020 at 23:01)</a>:</h4>
<p>CVSS are basically always like that in OSS projects in my experience. Libraries very rarely have the context needed to properly assess impact.</p>



<a name="192686622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192686622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192686622">(Apr 02 2020 at 15:52)</a>:</h4>
<p>Red Hat assigns its own CVSS scores, e.g. <a href="https://access.redhat.com/security/cve/CVE-2018-1000810" title="https://access.redhat.com/security/cve/CVE-2018-1000810">https://access.redhat.com/security/cve/CVE-2018-1000810</a></p>



<a name="192686712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192686712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192686712">(Apr 02 2020 at 15:53)</a>:</h4>
<p>the product security team will consult package maintainers like me, but ultimately make their own decision</p>



<a name="192858793"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192858793" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192858793">(Apr 03 2020 at 20:19)</a>:</h4>
<p>I'm trying to write an overview of RustSec vulnerabilities from March, and also get in the habit of posting these things monthly, to give RustSec more visibility. Here's the first draft, I think it has a lot of room for improvement so I would very much appreciate edits. Editing is open to everyone.<br>
<a href="https://hackmd.io/@xmxSgN6MSImJPcY4MOKfjA/ByyD7MBDU/edit" title="https://hackmd.io/@xmxSgN6MSImJPcY4MOKfjA/ByyD7MBDU/edit">https://hackmd.io/@xmxSgN6MSImJPcY4MOKfjA/ByyD7MBDU/edit</a></p>



<a name="192859962"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192859962" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192859962">(Apr 03 2020 at 20:30)</a>:</h4>
<p><span class="user-mention" data-user-id="133247">@bjorn3</span>  thanks for the pointer to <a href="https://github.com/actions-rs/audit-check" title="https://github.com/actions-rs/audit-check">https://github.com/actions-rs/audit-check</a> !</p>



<a name="192859988"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192859988" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192859988">(Apr 03 2020 at 20:30)</a>:</h4>
<p>I've revised the paragraph and dropped the TODO</p>



<a name="192971482"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192971482" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#192971482">(Apr 05 2020 at 18:28)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> could you add 1-2 sentences introducing RustSec and review the rest? I want to get an explicit approval from you before this is posted</p>



<a name="193069535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193069535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193069535">(Apr 06 2020 at 16:50)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191194855" title="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/191194855">said</a>:</p>
<blockquote>
<p>I'm currently a member of RustSec org on github but don't have the power to merge PRs. Is that intentional?</p>
</blockquote>
<p>no, I need to properly set up teams and add people.</p>



<a name="193069543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193069543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193069543">(Apr 06 2020 at 16:50)</a>:</h4>
<p>alas,  I've been pretty behind on a lot of stuff lately...</p>



<a name="193069838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193069838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193069838">(Apr 06 2020 at 16:52)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192859962" title="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/192859962">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="133247">bjorn3</span>  thanks for the pointer to <a href="https://github.com/actions-rs/audit-check" title="https://github.com/actions-rs/audit-check">https://github.com/actions-rs/audit-check</a> !</p>
</blockquote>
<p>also this is great... I use it on all my projects, or at least have slowly been moving them over</p>



<a name="193079815"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193079815" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193079815">(Apr 06 2020 at 18:09)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> looks good to me, thanks! Will you post this yourself or do you want me to? If I'm not the one posting I can distinguish it with Reddit coins, I have plenty left over</p>



<a name="193079916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193079916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193079916">(Apr 06 2020 at 18:10)</a>:</h4>
<p>I can post it to Reddit if you'd like... where were you thinking of hosting it?</p>



<a name="193079988"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193079988" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193079988">(Apr 06 2020 at 18:11)</a>:</h4>
<p>on Reddit</p>



<a name="193080173"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193080173" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193080173">(Apr 06 2020 at 18:12)</a>:</h4>
<p>it does Markdown, and really these digests are not immensely useful on their own, they're only there to give visibility to RustSec</p>



<a name="193080750"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193080750" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193080750">(Apr 06 2020 at 18:17)</a>:</h4>
<p>ok, I can post it to reddit</p>



<a name="193080916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193080916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193080916">(Apr 06 2020 at 18:18)</a>:</h4>
<p><a href="https://www.reddit.com/r/rust/comments/fw3vyg/security_advisories_for_march_2020_bitvec_hyper/" title="https://www.reddit.com/r/rust/comments/fw3vyg/security_advisories_for_march_2020_bitvec_hyper/">https://www.reddit.com/r/rust/comments/fw3vyg/security_advisories_for_march_2020_bitvec_hyper/</a>?</p>



<a name="193082346"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193082346" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193082346">(Apr 06 2020 at 18:29)</a>:</h4>
<p>I'll try to turn this into a monthly thing, should give the project visibility akin to what others are doing with weekly changelogs. Except we have something more important to report.</p>



<a name="193083398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193083398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193083398">(Apr 06 2020 at 18:37)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I would confirm with the core team but you could post this to the "Inside Rust" blog.</p>



<a name="193083484"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193083484" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193083484">(Apr 06 2020 at 18:38)</a>:</h4>
<p>It would be more sharable than a reddit post.</p>



<a name="193093132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193093132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193093132">(Apr 06 2020 at 19:58)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> hrmm so I checked all the teams/permissions and everyone relevant appears to be in the <code>RustSec/working-group</code> team and should have Maintain access to all repos in the org</p>



<a name="193094210"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193094210" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193094210">(Apr 06 2020 at 20:07)</a>:</h4>
<p>looks like we've gotten a decent number (42) of upvotes on that reddit post</p>



<a name="193094468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193094468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193094468">(Apr 06 2020 at 20:09)</a>:</h4>
<p>I just noticed a typo in the reddit post: "[If] you discover a"</p>



<a name="193094910"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/193094910" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#193094910">(Apr 06 2020 at 20:12)</a>:</h4>
<p>fixed, thanks!</p>



<a name="195204628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195204628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195204628">(Apr 24 2020 at 15:27)</a>:</h4>
<p>wow, that's a lot of advisories filed in the past few days</p>



<a name="195245696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195245696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195245696">(Apr 24 2020 at 21:18)</a>:</h4>
<p>Do we have github actions set up to automatically assign numbers and/or update the website? If so, I could probably shoulder some of the administrivia like number assignment so that you don't have to</p>



<a name="195251849"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195251849" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195251849">(Apr 24 2020 at 22:27)</a>:</h4>
<p>I think it'd be great if we had a GHA to do assignment, that'd definitely lower the burden and make it easier for other folks to help out.</p>



<a name="195290882"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195290882" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195290882">(Apr 25 2020 at 16:02)</a>:</h4>
<p>I filed <a href="https://github.com/RustSec/rustsec-admin/issues/30" title="https://github.com/RustSec/rustsec-admin/issues/30">https://github.com/RustSec/rustsec-admin/issues/30</a> - once we have a command for it, wiring up to GHA should be easy</p>



<a name="195292349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195292349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195292349">(Apr 25 2020 at 16:38)</a>:</h4>
<p>I pushed up an old branch I had to automate the entire advisory publishing workflow: <a href="https://github.com/RustSec/rustsec-admin/pull/31" title="https://github.com/RustSec/rustsec-admin/pull/31">https://github.com/RustSec/rustsec-admin/pull/31</a></p>



<a name="195292350"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195292350" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195292350">(Apr 25 2020 at 16:38)</a>:</h4>
<p>open to a GHA-based alternative</p>



<a name="195292365"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195292365" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195292365">(Apr 25 2020 at 16:39)</a>:</h4>
<p>what'd be really nice with GHA is if we could automate publishing the web site every time something is merged</p>



<a name="195292387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/195292387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#195292387">(Apr 25 2020 at 16:39)</a>:</h4>
<p>(also I've been wanting to rip out Jekyll and replace it with a template-based HTML generator, as opposed to the current TOML -&gt; Markdown -&gt; Jekyll -&gt; HTML approach)</p>



<a name="196847341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/196847341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#196847341">(May 08 2020 at 00:34)</a>:</h4>
<p>So it's time for another "this month's vulnerabilities" post. My current plan is to mention that we've put out advisories for fake-static and polonium, but retracted the latter for the time because it was surprisingly controversial, then ask for feedback on the course of action. Hopefully the combination of threaded conversation and voting can provide a better idea of how the community feels about it, beyond a few persistent voices.<br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> does that sound like a good plan? Any suggestions?</p>



<a name="196847377"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/196847377" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#196847377">(May 08 2020 at 00:34)</a>:</h4>
<p>sure</p>



<a name="197193003"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193003" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197193003">(May 11 2020 at 19:29)</a>:</h4>
<p>This lets you create use-after-free in safe code, but the author does not consider it a bug: <a href="https://github.com/spacejam/rio/issues/11">https://github.com/spacejam/rio/issues/11</a><br>
This is like the Polonius issue but even trickier</p>



<a name="197193269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197193269">(May 11 2020 at 19:31)</a>:</h4>
<p>You can get un-<code>Drop</code>'d instances without <code>mem::forget</code>, right?</p>



<a name="197193683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197193683">(May 11 2020 at 19:34)</a>:</h4>
<p>Yes, e.g. by creating a reference cycle with <code>Rc</code> or <code>Arc</code></p>



<a name="197193709"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193709" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197193709">(May 11 2020 at 19:34)</a>:</h4>
<p>This is the entire reason why <code>mem::forget()</code> is safe in the first place</p>



<a name="197193790"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193790" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197193790">(May 11 2020 at 19:35)</a>:</h4>
<p>This strikes me as a far more straightforward case than the polonius one.</p>



<a name="197195113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197195113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197195113">(May 11 2020 at 19:45)</a>:</h4>
<p>yeah I read withoutboats' blog post about this</p>



<a name="197195117"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197195117" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197195117">(May 11 2020 at 19:45)</a>:</h4>
<p>it was really interesting</p>



<a name="197200701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197200701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197200701">(May 11 2020 at 20:30)</a>:</h4>
<p>Okay, so I have a draft for the Reddit post on April security issues and soliciting feedback on handling intentional safety violations: <br>
<a href="https://hackmd.io/@xmxSgN6MSImJPcY4MOKfjA/r1tntmvc8/edit">https://hackmd.io/@xmxSgN6MSImJPcY4MOKfjA/r1tntmvc8/edit</a><br>
Should be editable by everyone. Feedback and corrections are very welcome.<br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> waiting for your sign-off before posting.</p>



<a name="197205027"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197205027" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197205027">(May 11 2020 at 21:08)</a>:</h4>
<blockquote>
<p>soliciting feedback on handling intentional safety violations</p>
</blockquote>
<p>might be good to open some GitHub issues on that in advance</p>



<a name="197208923"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197208923" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197208923">(May 11 2020 at 21:49)</a>:</h4>
<p>Frankly I want to direct people to Reddit comments instead because unlike github issues they have threaded conversation and voting</p>



<a name="197209053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197209053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197209053">(May 11 2020 at 21:50)</a>:</h4>
<p>hmm, let me see if I can come up with a good way to convey that</p>



<a name="197209872"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197209872" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197209872">(May 11 2020 at 21:58)</a>:</h4>
<p>Okay, I have a draft that seems publishable. Edits are still very welcome. <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> awaiting your sign-off.</p>



<a name="197210094"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197210094" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197210094">(May 11 2020 at 22:00)</a>:</h4>
<p>Github has voting, it just requires emoji-reactions!</p>



<a name="197210673"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197210673" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197210673">(May 11 2020 at 22:06)</a>:</h4>
<p>Not threads though, and I don't want to decide this on voting alone. Having people present counter-arguments to proposed points in a structured way - and also have voting on that - is great.</p>



<a name="197217232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217232">(May 11 2020 at 23:15)</a>:</h4>
<p>I have some concerns about using either Reddit or GitHub for voting, both in terms of getting a representative sample of community opinion, and also because things have kind of gone off the rails with that stuff in the past (see especially Actix)</p>



<a name="197217246"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217246" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217246">(May 11 2020 at 23:15)</a>:</h4>
<p>that said I don't know a better option</p>



<a name="197217301"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217301" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217301">(May 11 2020 at 23:16)</a>:</h4>
<p>something like the recent Rust community poll perhaps</p>



<a name="197217411"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217411" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217411">(May 11 2020 at 23:17)</a>:</h4>
<p>Yeah, maybe include an explicit reminder that brigrading someone else's github is not useful.</p>



<a name="197217539"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217539" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217539">(May 11 2020 at 23:19)</a>:</h4>
<p>there's also another option</p>



<a name="197217546"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217546" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217546">(May 11 2020 at 23:19)</a>:</h4>
<p>as far as the 3 ones enumerated there go</p>



<a name="197217610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217610">(May 11 2020 at 23:20)</a>:</h4>
<p><code>cargo-deny</code> is built on the <code>rustsec</code> crate and uses that to both parse <code>Cargo.lock</code> and query advisories</p>



<a name="197217626"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217626" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217626">(May 11 2020 at 23:20)</a>:</h4>
<p>we could surface these advisories through there</p>



<a name="197217640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217640">(May 11 2020 at 23:20)</a>:</h4>
<p>(and optionally through <code>cargo-audit</code> too, but perhaps off-by-default)</p>



<a name="197217941"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197217941" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197217941">(May 11 2020 at 23:23)</a>:</h4>
<p>ah, so we <em>could</em> in theory surface these only through <code>cargo-deny</code>. Now that's a thought</p>



<a name="197218084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197218084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197218084">(May 11 2020 at 23:25)</a>:</h4>
<p>I can post a link to the Reddit post to <a href="http://users.rust-lang.org">users.rust-lang.org</a> in order to get a more representative sample. RustSec twitter is yet another avenue</p>



<a name="197218111"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197218111" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197218111">(May 11 2020 at 23:25)</a>:</h4>
<p>also this is relevant <a href="https://github.com/RustSec/cargo-audit/pull/206">https://github.com/RustSec/cargo-audit/pull/206</a></p>



<a name="197218819"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197218819" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197218819">(May 11 2020 at 23:35)</a>:</h4>
<p>I've added the 4th option</p>



<a name="197218932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197218932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197218932">(May 11 2020 at 23:36)</a>:</h4>
<p>I went out of my way to prevent github brigading. Not only the relevant issue on the bug tracker is closed and locked, the project name is never even mentioned in Boats' post. It's not even clear from the post if there are any implementations of said approach or not.</p>



<a name="197219093"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197219093" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197219093">(May 11 2020 at 23:39)</a>:</h4>
<p>As for using Reddit as a platform, I'm not aware of a better platform. The only mitigation I can see is cross-posting it to other platforms.</p>



<a name="197219187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197219187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197219187">(May 11 2020 at 23:40)</a>:</h4>
<p>I don't see any other concerns raised, so I'm going to consider the current version "as good as it gets". Awaiting more comments or an approval to post</p>



<a name="197220599"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197220599" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197220599">(May 12 2020 at 00:00)</a>:</h4>
<p>yeah go for it</p>



<a name="197297273"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197297273" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197297273">(May 12 2020 at 15:52)</a>:</h4>
<p>OK it's live: <a href="https://www.reddit.com/r/rust/comments/gidtpe/security_advisories_for_april_2020_rustqlite_os/">https://www.reddit.com/r/rust/comments/gidtpe/security_advisories_for_april_2020_rustqlite_os/</a><br>
Feel free to cross-post to other places for a more representative sample</p>



<a name="197298313"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197298313" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197298313">(May 12 2020 at 16:00)</a>:</h4>
<p>cool will post as the RustSec Twitter account and retweet as my personal account</p>



<a name="197298768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197298768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197298768">(May 12 2020 at 16:03)</a>:</h4>
<p><a href="https://twitter.com/RustSec/status/1260239061416947719">https://twitter.com/RustSec/status/1260239061416947719</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/RustSec/status/1260239061416947719"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/825186818278584320/zVKr7DJa_normal.jpg"></a><p>We've posted a retrospective on RUSTSEC advisories filed in April 2020:

- rusqlite
- os_str_bytes
- flatbuffers
- fake-static
- plutonium

<a href="https://t.co/PMdYuQtOf5">https://www.reddit.com/r/rust/comments/gidtpe/security_advisories_for_april_2020_rustqlite_os/</a></p><span>- RustSec (@RustSec)</span></div></div>



<a name="197306929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197306929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197306929">(May 12 2020 at 17:07)</a>:</h4>
<p>heh, oh boy <a href="https://github.com/RustSec/advisory-db/pull/293">https://github.com/RustSec/advisory-db/pull/293</a></p>



<a name="197307334"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197307334" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197307334">(May 12 2020 at 17:09)</a>:</h4>
<p>also wow, fairly one-sided discussion on that Reddit post (in a good way, IMO)</p>



<a name="197307427"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197307427" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197307427">(May 12 2020 at 17:10)</a>:</h4>
<p>also damn, 78 points</p>



<a name="197307592"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197307592" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197307592">(May 12 2020 at 17:11)</a>:</h4>
<p>Wow, that is gaining points quickly</p>



<a name="197307599"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197307599" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197307599">(May 12 2020 at 17:11)</a>:</h4>
<p>I've replied on the PR</p>



<a name="197320971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197320971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197320971">(May 12 2020 at 18:50)</a>:</h4>
<p>Also cross-posted to <a href="http://users.rust-lang.org">users.rust-lang.org</a>: <a href="https://users.rust-lang.org/t/security-advisories-for-april-2020-rustqlite-os-str-bytes-flatbuffers/42504">https://users.rust-lang.org/t/security-advisories-for-april-2020-rustqlite-os-str-bytes-flatbuffers/42504</a></p>



<a name="197322961"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197322961" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197322961">(May 12 2020 at 19:04)</a>:</h4>
<p>welp, the Reddit post is <a href="https://github.com/rust-lang/rust/issues/1">#1</a> on /r/rust now</p>



<a name="197388347"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197388347" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197388347">(May 13 2020 at 09:37)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197219093">said</a>:</p>
<blockquote>
<p>As for using Reddit as a platform, I'm not aware of a better platform. The only mitigation I can see is cross-posting it to other platforms.</p>
</blockquote>
<p>We really shouldn't be having the primary discussion on a platform that we don't moderate or promote as official. We have much better resources. I would write these advisory posts on the "Inside Rust" blog if they're meant to be on behalf of the working group. If you want to solicit feedback, I would recommend then posting the link of the blog on other platforms, and direct discussion to discourse or to the Zulip. You can even give people the email address to send feedback &lt;<a href="mailto:wg-secure-code.ce41ebc1bb12c5c507d7017f50ca1272.show-sender@streams.zulipchat.com">wg-secure-code.ce41ebc1bb12c5c507d7017f50ca1272.show-sender@streams.zulipchat.com</a>&gt;. Any/all of those things would be better than posting on reddit.</p>



<a name="197469250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197469250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197469250">(May 13 2020 at 20:08)</a>:</h4>
<p>Sadly I don't have the time go into this right now, but I just wanted to quickly acknowledge this and also note that I'd like to have a more in-depth conversation about this. Thanks for bringing this up.</p>



<a name="197469288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197469288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197469288">(May 13 2020 at 20:08)</a>:</h4>
<p>I'll write something up here and mention you in the next few days.</p>



<a name="197547802"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197547802" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#197547802">(May 14 2020 at 12:54)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197193003">said</a>:</p>
<blockquote>
<p>This lets you create use-after-free in safe code, but the author does not consider it a bug: <a href="https://github.com/spacejam/rio/issues/11">https://github.com/spacejam/rio/issues/11</a><br>
This is like the Polonius issue but even trickier</p>
</blockquote>
<p>no it's simpler because there are no macros. this crate is unsound and this time I doubt someone finds a good counterargument.^^</p>



<a name="198095798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/198095798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tshepang Lekhonkhobe <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#198095798">(May 19 2020 at 16:57)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec/near/197297273">said</a>:</p>
<blockquote>
<p>OK it's live: <a href="https://www.reddit.com/r/rust/comments/gidtpe/security_advisories_for_april_2020_rustqlite_os/">https://www.reddit.com/r/rust/comments/gidtpe/security_advisories_for_april_2020_rustqlite_os/</a><br>
Feel free to cross-post to other places for a more representative sample</p>
</blockquote>
<p>that audit github action, it doesn't look like it opens issues when it fails the check (as stated on the post)</p>



<a name="198112745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/198112745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#198112745">(May 19 2020 at 19:09)</a>:</h4>
<p>works for me...</p>



<a name="198112784"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/198112784" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#198112784">(May 19 2020 at 19:09)</a>:</h4>
<p><a href="https://github.com/iqlusioninc/tmkms/issues/48">https://github.com/iqlusioninc/tmkms/issues/48</a></p>



<a name="198402789"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/198402789" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tshepang Lekhonkhobe <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#198402789">(May 22 2020 at 03:20)</a>:</h4>
<p>alright, it does work... had to merge my changes onto master, and seems to only work on a cron schedule</p>



<a name="202369289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202369289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202369289">(Jun 29 2020 at 21:18)</a>:</h4>
<p>Should we go ahead with the <a href="https://github.com/RustSec/advisory-db/pull/311">ID-assigning Github action</a>?<br>
We have plenty of advisories pending, so we have something to test it on. And it's about time we got something that spares Tony the drudgery.</p>



<a name="202384330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202384330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202384330">(Jun 30 2020 at 00:36)</a>:</h4>
<p>it's merged. as soon as we merge an advisory we'll see if it works</p>



<a name="202384344"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202384344" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202384344">(Jun 30 2020 at 00:37)</a>:</h4>
<p>if you have one to suggest starting with, be my guest and merge it</p>



<a name="202479163"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202479163" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202479163">(Jun 30 2020 at 18:53)</a>:</h4>
<p>it appears to be working <span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span></p>



<a name="202481041"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202481041" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202481041">(Jun 30 2020 at 19:08)</a>:</h4>
<p><span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span></p>



<a name="202489944"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202489944" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202489944">(Jun 30 2020 at 20:24)</a>:</h4>
<p>Looks like the next step to reduce the workload for you would be to have it title the PRs + commit messages appropriately? Shall we file a bug on rustsec-admin to have it output stuff in a way to make that easy?</p>



<a name="202492176"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202492176" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202492176">(Jun 30 2020 at 20:43)</a>:</h4>
<p>sounds good</p>



<a name="202492294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202492294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202492294">(Jun 30 2020 at 20:44)</a>:</h4>
<p>another neat thing would be to have merged assignment PRs file a PR to update the web site, if that's possible somehow</p>



<a name="202493164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202493164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202493164">(Jun 30 2020 at 20:52)</a>:</h4>
<p>All things are possible with code <span aria-label="joy" class="emoji emoji-1f602" role="img" title="joy">:joy:</span> . Can you file bugs for these, I'm not going to have time to look for a bit.</p>



<a name="202576499"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202576499" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202576499">(Jul 01 2020 at 14:39)</a>:</h4>
<p>What happens if I push "merge" button on PRs now? <a href="https://github.com/RustSec/advisory-db/pull/319">https://github.com/RustSec/advisory-db/pull/319</a> looks good to me, I wonder if there's anything else that needs to be done (other than updating the website which can be done in bulk later)</p>



<a name="202594376"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202594376" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202594376">(Jul 01 2020 at 16:55)</a>:</h4>
<p>you can now just push merge and it will open a PR to assign it. we can only have one of those at a time I guess until the other PR is merged</p>



<a name="202808069"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202808069" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202808069">(Jul 03 2020 at 14:17)</a>:</h4>
<p>There were no objections to filing unsoundness in <code>rio</code> as a vulnerability, so I went ahead and merged it.<br>
<a href="https://github.com/RustSec/advisory-db/pull/293">https://github.com/RustSec/advisory-db/pull/293</a><br>
In the unlikely event that this causes controversy, I personally take full responsibility for this decision.</p>



<a name="202871877"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/202871877" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#202871877">(Jul 04 2020 at 12:35)</a>:</h4>
<p>Is it OK to merge <code>informational = "unsound"</code> advisories, or would that create issues for older releases of cargo-audit?</p>



<a name="203291295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/203291295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#203291295">(Jul 08 2020 at 16:40)</a>:</h4>
<p>yes, you can merge them now. older (well, really all for now) releases ignore them</p>



<a name="204622145"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/204622145" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#204622145">(Jul 22 2020 at 01:26)</a>:</h4>
<p><a href="https://github.com/trailofbits/siderophile/issues/16#issuecomment-661306076">https://github.com/trailofbits/siderophile/issues/16#issuecomment-661306076</a></p>



<a name="211353783"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211353783" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211353783">(Sep 26 2020 at 10:30)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> where's the code for the linter of RustSec advisories? I've found a bug, would like to go ahead and fix it</p>



<a name="211361881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211361881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211361881">(Sep 26 2020 at 14:12)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> <a href="https://github.com/RustSec/rustsec-admin/blob/master/src/linter.rs">https://github.com/RustSec/rustsec-admin/blob/master/src/linter.rs</a></p>



<a name="211361913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211361913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211361913">(Sep 26 2020 at 14:12)</a>:</h4>
<p><a href="https://github.com/RustSec/rustsec-crate/blob/master/src/advisory/linter.rs">https://github.com/RustSec/rustsec-crate/blob/master/src/advisory/linter.rs</a></p>



<a name="211381731"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381731" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381731">(Sep 26 2020 at 20:39)</a>:</h4>
<p>I've filed 5 security advisories for actix-web, all resolved by now. <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> now's the time to push the "refresh website" button</p>



<a name="211381787"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381787" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381787">(Sep 26 2020 at 20:40)</a>:</h4>
<p>done, also I think you can do it too, heh</p>



<a name="211381798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381798">(Sep 26 2020 at 20:40)</a>:</h4>
<p>Oh, how?</p>



<a name="211381800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381800">(Sep 26 2020 at 20:40)</a>:</h4>
<p>it's <code>rustsec-admin web</code> if you have <code>rustsec-admin</code> installed</p>



<a name="211381807"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381807" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381807">(Sep 26 2020 at 20:40)</a>:</h4>
<p>I don't, I'll have to look into it</p>



<a name="211381811"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381811" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381811">(Sep 26 2020 at 20:40)</a>:</h4>
<p>check out <a href="https://github.com/RustSec/rustsec.github.io">https://github.com/RustSec/rustsec.github.io</a></p>



<a name="211381813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381813">(Sep 26 2020 at 20:40)</a>:</h4>
<p>run <code>rustsec-admin web</code></p>



<a name="211381814"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381814" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381814">(Sep 26 2020 at 20:40)</a>:</h4>
<p>commit and push</p>



<a name="211381819"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211381819" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211381819">(Sep 26 2020 at 20:41)</a>:</h4>
<p>would be nice to automate this with GitHub Actions or something</p>



<a name="211382115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211382115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211382115">(Sep 26 2020 at 20:49)</a>:</h4>
<p>It's probably like 2 lines of YAML if you put a secret on the repo with the value.</p>



<a name="211382122"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211382122" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211382122">(Sep 26 2020 at 20:49)</a>:</h4>
<p>Errr, with a github token that can push</p>



<a name="211382825"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211382825" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211382825">(Sep 26 2020 at 21:09)</a>:</h4>
<p>that's doable</p>



<a name="211382831"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211382831" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211382831">(Sep 26 2020 at 21:09)</a>:</h4>
<p>hopefully it doesn't result in the web site horribly defaced some day <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="211413401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/211413401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#211413401">(Sep 27 2020 at 12:06)</a>:</h4>
<p>Yeah, I figured that token management is the hard part. My impulse is to stuff the entire thing in a docker container and throw it on one of the cloud serverless platforms that scale down to 0. Then allow unauthenticated users to trigger the update via RPC, with a rate limit and/or a limit on the number of monthly executions.</p>



<a name="212659753"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212659753" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Barretto <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212659753">(Oct 08 2020 at 08:25)</a>:</h4>
<p>Hello all. I've largely taken over maintenance of <code>spin</code>. Hopefully we'll be releasing a new version today that adds <code>lock_api</code> compatibility and cleans up a lot of the internal <code>unsafe</code> code. How should I go about marking it as 'maintained'?</p>



<a name="212675012"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212675012" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212675012">(Oct 08 2020 at 11:21)</a>:</h4>
<p><span class="user-mention" data-user-id="250715">@Joshua Barretto</span> I'm excited to hear that!<br>
Add <code>yanked=true</code> to the advisory, like here: <a href="https://github.com/RustSec/advisory-db/blob/ac125ee29a3b934fc00f52bf56031dc837e9384d/crates/plutonium/RUSTSEC-2020-0011.md">https://github.com/RustSec/advisory-db/blob/ac125ee29a3b934fc00f52bf56031dc837e9384d/crates/plutonium/RUSTSEC-2020-0011.md</a></p>



<a name="212675091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212675091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Barretto <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212675091">(Oct 08 2020 at 11:22)</a>:</h4>
<p>Thanks for the info, I'll do that now.</p>



<a name="212675891"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212675891" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212675891">(Oct 08 2020 at 11:33)</a>:</h4>
<p>Hmm, I don't think <code>yanked=true</code> that actually did anything. I'm still getting the warning when running <code>cargo audit</code>. <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> any insights?</p>



<a name="212694588"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212694588" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212694588">(Oct 08 2020 at 14:07)</a>:</h4>
<p>It might be a bug. iirc the same thing happened with <code>plutonium</code></p>



<a name="212694732"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212694732" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212694732">(Oct 08 2020 at 14:08)</a>:</h4>
<p>also all the unmaintained crate advisories generally include the last known release, so if a new version is released, the advisory shouldn't apply to that</p>



<a name="212694836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212694836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212694836">(Oct 08 2020 at 14:09)</a>:</h4>
<p>the <code>spin</code> advisory has unaffected versions: <code>&gt; v0.5.2</code></p>



<a name="212695292"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212695292" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Barretto <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212695292">(Oct 08 2020 at 14:12)</a>:</h4>
<p>That might be true, but it would still bring up an advisory warning for crates that rely on an older version (as I'm sure most will for some time) despite it being no longer valid.</p>



<a name="212696276"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212696276" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212696276">(Oct 08 2020 at 14:17)</a>:</h4>
<p>yeah, we should fix the yanked bug. we could also change that version to be <code>=0.0.0.</code> or something</p>



<a name="212731470"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212731470" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212731470">(Oct 08 2020 at 18:31)</a>:</h4>
<p>Plutonium upstream has <a href="https://docs.rs/plutonium/0.5.2/plutonium/">very much embraced</a> the advisory, so we probably need to un-yank it anyway.</p>



<a name="212731598"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212731598" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212731598">(Oct 08 2020 at 18:32)</a>:</h4>
<blockquote>
<p>You can learn more about plutonium at the Rust Security Advisory Database.</p>
</blockquote>
<p>this is gold</p>



<a name="212732372"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/212732372" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#212732372">(Oct 08 2020 at 18:38)</a>:</h4>
<p>no, gold and plutonium are distinct elements</p>



<a name="214173768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/214173768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#214173768">(Oct 22 2020 at 11:33)</a>:</h4>
<p>Automatic ID assignment is broken. I've assigned an ID manually and broke CI for master - I believe there's a mismatch between the ID and the disclosure date, which wasn't a problem before. I'm busy all day today, leaving this here so hopefully someone else can take a look.</p>



<a name="214187874"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/214187874" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#214187874">(Oct 22 2020 at 13:38)</a>:</h4>
<p>I can come up with a fix</p>



<a name="214187920"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/214187920" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#214187920">(Oct 22 2020 at 13:38)</a>:</h4>
<p>I also updated the example advisory to the Markdown format: <a href="https://github.com/RustSec/advisory-db/pull/436">https://github.com/RustSec/advisory-db/pull/436</a></p>



<a name="214188648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/214188648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#214188648">(Oct 22 2020 at 13:44)</a>:</h4>
<p>this should fix CI: <a href="https://github.com/RustSec/advisory-db/pull/437">https://github.com/RustSec/advisory-db/pull/437</a></p>



<a name="214505996"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/214505996" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#214505996">(Oct 25 2020 at 18:57)</a>:</h4>
<p>woohoo, it works again <span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span> <a href="https://github.com/RustSec/advisory-db/pull/441">https://github.com/RustSec/advisory-db/pull/441</a></p>



<a name="223426847"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223426847" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223426847">(Jan 20 2021 at 20:00)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> what do you think about promoting <span class="user-mention" data-user-id="329529">@Yechan Bae</span> to a RustSec maintainer? They are quite familiar with the format now, clearly can triage issues, and has better communication skills than I do.</p>



<a name="223452954"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223452954" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223452954">(Jan 20 2021 at 23:44)</a>:</h4>
<p>Sounds good to me</p>



<a name="223497358"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223497358" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223497358">(Jan 21 2021 at 11:46)</a>:</h4>
<p><span class="user-mention" data-user-id="329529">@Yechan Bae</span> I've sent you a RustSec org invitation. We'd be happy to have you aboard!</p>



<a name="223566250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223566250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223566250">(Jan 21 2021 at 20:30)</a>:</h4>
<p>Hey, thank you for the invitation! I'm definitely willing to help maintaining RustSec projects. Unfortunately, I cannot accept the invitation right now. Our team is preparing a paper submission on the topic of bug finding in Rust, and until then we think it's safer to remain as 3rd party to avoid the potential conflict of interest.</p>



<a name="223566608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223566608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223566608">(Jan 21 2021 at 20:33)</a>:</h4>
<p>Fair enough. Let me know if/when you're ready!</p>



<a name="223766568"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223766568" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223766568">(Jan 23 2021 at 19:06)</a>:</h4>
<p><a href="https://dependabot.com/rust/">https://dependabot.com/rust/</a> advertises checking against the RustSec database. Should we add it to the README? If so, what about the Github action that runs <code>cargo-audit</code>?</p>



<a name="223915448"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/223915448" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#223915448">(Jan 25 2021 at 15:48)</a>:</h4>
<p>Interesting</p>



<a name="241336989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec/near/241336989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Darakian <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.html#241336989">(Jun 03 2021 at 00:38)</a>:</h4>
<p><span aria-label="wave" class="emoji emoji-1f44b" role="img" title="wave">:wave:</span></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>